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1  Introduction 


Planning  and  scheduling  tasks  are  inherently  complex.  In  computational  terms,  they 
are  intractable,  i.e..  NP-hard  or  worse.  .\s  a  practical  consequence,  realistic  size  plan¬ 
ning  and  scheduling  problems  cannot  be  solved  optimally  in  a  "reasonable"  amount  of 
time.  Nonetheless,  solutions  have  to  be  found  for  real-world  problems,  and  therefore 
heuristic  approaches  have  to  be  adopted,  ideally  with  some  guarantee  on  the  quality 
of  the  solution. 

This  paper  focus  on  the  real-world  problem  of  multiple  resource-constrained  project 
management.  This  problem  is  very  common  in  manufacturing  and  it  is  a  generaliza¬ 
tion  of  the  well-known  job-shop  scheduling  problem  (Blazewicz  et  al  83,  Vaessens  et  al  94). 
As  a  particular  instance  of  this  problem,  we  consider  the  management  of  outages  of 
nuclear  power  plants.  An  outage  is  a  planned  shutdown  for  refueling,  repeiir,  and 
maintenaince.  It  is  a  rather  daunting  real-world  task  that  may  involve  from  10, 000 
up  to  45, 000  activities.  In  the  domain  of  nuclear  power  plants,  risk  and  safety  man¬ 
agement  are  sine  qua  non  conditions  and  therefore  a  planning  and  scheduling  system 
(automatic  or  manual)  has  to  enforce  safety  constraints  guaranteeing  that  the  state 
of  the  plant  is  safe  at  amy  time  during  an  outage.  The  current  automatic  technology 
for  outage  scheduling  used  by  the  utilities  does  not  taike  into  consideration  saifety 
requirements  —  currently,  safety  and  risk  management  still  heavily  rely  on  the  expe¬ 
rience  of  the  manual  schedulers,  rather  than  on  automatic  procedures.  Furthermore, 
in  this  domain,  the  existence  of  good  automatic  solutions  is  not  only  crucial  for  nu¬ 
clear  safety  reasons  but  also  for  economic  reasons  —  the  cost  per  day  of  shutdown  is 
in  the  order  of  Sl,000,000. 

We  report  on  a  successful  project  for  transference  of  advanced  .41  technology  into 
the  domain  of  planning  of  outages  of  nuclear  power  plants,  a  collaboration  between 
Rome  Laboratory,  the  Electric  Power  Research  Institute,  Kamcin  Science,  and  Kestrel 
Institute  as  pairt  of  DOD’s  dual-use  program.  The  softwaxe  environment  selected  for 
this  project  was  KIDS  (Kestrel  Interactive  Development  System) [Smith  91],  which 
is  a  set  of  semiautomatic  tools  to  transform  declarative  problem  specifications  into 
correct  and  efficient  programs.  The  main  goal  of  the  project  was  to  evaluate  the  use 
of  trzmsformational  approaches  and  Al  technology  to  solve  real-world  planning  and 
scheduling  problems  involving  complex  constreiints. 

ROMAN  (Rome  Lab  Outage  Manager)  is  the  prototype  system  that  was  developed  as 
a  result  of  this  project  [Gomes  k  Smith  96].  ROMAN’S  main  innovation  compared  to 
the  current  state  of  the  art  of  outage  management  tools  is  its  capability  to  automat¬ 
ically  enforce  safety  constrziints  during  the  planning  and  scheduling  phase.  Another 
innovative  aspect  of  ROMAN  is  its  generation  of  more  robust  schedules  that  are  fea¬ 
sible  over  time  windows.  In  other  words,  ROMAN  generates  a  family  of  schedules 
by  assigning  time  intervals  as  start  times  to  activities  rather  than  single  point  start 
times,  without  afecting  the  overall  duration  of  the  project. 
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Roman  uses  a  rich  representation  for  the  state  of  the  plant  at  any  time  (as  in  plan¬ 
ning  approaches)  which  allows  for  efficient  constraint-based  reasoning,  in  particular, 
temporal  reasoning  (as  in  scheduling).  The  problem  is  modeled  as  a  constraint  sat¬ 
isfaction  problem  combining  a  global  search  tactic  with  constraint  propagation.  The 
derivation  of  very  specialized  representations  for  the  constraints  to  perform  efficient 
propagation  is  a  key  aspect  for  the  generation  of  very  fast  schedules  —  constraints 
are  compiled  into  the  code,  which  is  a  novel  aspect  of  our  work  using  an  automatic 
programming  system,  KIDS.  In  order  to  increase  schedule  robustness  our  approach 
entails  the  generation  of  families  of  schedules  with  the  same  completion  time  and  that 
are  feasible  over  time  intervals. 

In  the  next  section  we  describe  related  work.  In  section  3  we  define  the  outage 
problem  and  in  section  4  we  discuss  the  current  state-of-the-art  of  outage  management 
for  nuclear  power  plants  and  its  limitations.  Section  5  describes  ROMAN  in  detail. 
Section  7  summarizes  the  main  results  achieved  with  ROMAN. 


2  Related  Work 


Our  approach  to  scheduling  uses  global  search  methods  as  opposed  to  local  search 
[Gomes  &  Smith  96].  Local  search  techniques  are  based  on  the  idea  of  improving  ex¬ 
isting  solutions  by  iteratively  making  small  changes.  A  local  search  algorithm  defines  a 
walk  in  which  each  solution  is  a  neighbor  of  a  previous  visited  solution.  Examples  of  lo¬ 
cal  search  approaches  are  repair  methods  (e.g.,  [Zweben  et  al  94,  Selman  &  Kautz  93, 
Minton  et  a/ 90]),  fix-point  iteration[Cai  k  Paige  89],  and  linear  programming  algo¬ 
rithms.  Global  search  methods  on  the  other  hand  focus  on  incrementally  generat¬ 
ing  a  solution  by  repeatedly  splitting  an  initial  set  of  solutions  into  subsets  until  a 
feasible  or  optimal  solution  can  be  extracted.  Examples  of  global  search  methods 
include  backtrack,  heuristic  search,  branch-and-bound.  Examples  of  approaches  to 
scheduling  taking  a  global  search  perspective  are  OPIS/DITOPS  [Smith  94]  Micro- 
Boss  [Sadeh  94]. 

The  main  innovation  of  our  approach  compared  to  other  AI  scheduling  approaches  is 
the  derivation  of  very  specialized  constraints  that  are  compiled  into  the  search  and 
control  mechanisms  [Gomes  &  Smith  96].  Other  approaches  to  scheduling  use  con¬ 
straint  representations  and  operations  that  are  geared  for  a  broad  class  of  problems, 
while  our  approach,  a  transformational  approach,  derives  specialized  representations 
for  constraints  allowing  fast  constraint  checking  and  constraint  propagation. 

Another  novel  aspect  of  our  approach  is  the  generation  of  schedules  that  are  feasible 
over  time  windows  rather  than  having  single  time  points  as  start  times.  With  our 
approach,  we  generate  an  infinite  family  of  schedules  that  have  the  same  completion 
time.  Existing  AI  approaches  to  scheduling  with  complex  state  variables  only  generate 
a  single  solution,  feasible  for  single  start  times,  without  any  guarantees  of  feasibility 
over  time  windows  [Gomes  &  Smith  96]. 
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The  framework  selected  for  this  project  was  KIDS  (Kestrel  Interactive  Development 
System)  [Smith  91],  which  supports  users  in  transforming  declarative  problem  specifi¬ 
cations  into  correct  and  efficient  programs.  The  transformations  provided  in  KIDS  are 
designed  to  perform  significant  and  meaningful  actions  in  terms  of  search  efficiency. 
The  various  transformations  in  KIDS  include:  algorithmic  transformations,  program 
optimization  techniques  and  data  structures  refinement.  The  algorithmic  transfor¬ 
mations  allow  the  user  to  add  search  and  control  mechanisms  to  a  given  problem 
specification.  Finite  differencing  is  another  important  transformation  provided  by 
KIDS.  KIDS  uses  a  form  of  deductive  inference  called  directed  inference  to  reason 
about  the  problem  specification  in  order  to  automatically  apply  tactics,  derive  filters 
and  perform  constraint  propagation  [Smith  et  al  95]. 

KIDS  has  been  used  to  derive  a  very  fast  transportation  scheduler  for  the  US  Trans¬ 
portation  Command,  KTS  (Kestrel  Transportation  Scheduler)  [Smith  k  Parra  93].  A 
typical  transportation  problem  with  10, 000  movement  requirements  takes  the  derived 
scheduler  1  to  3  minutes  to  solve,  compared  with  2.5  hours  for  a  deployed  feasibility 
estimator  (JFAST)  and  36  hours  for  deployed  schedulers  (FLOGEN,  ADANS).  The 
computed  schedules  use  relatively  few  resources  and  satisfy  all  specified  constraints. 
The  speed  of  this  scheduler  was  due  to  the  synthesis  of  strong  constraint  checking 
and  constraint  propagation  code  [Smith  et  al  95].  In  this  paper  we  show  how  this  ap¬ 
proach  can  be  extended  to  tackle  a  much  richer  real-world  scheduling  task  involving 
complex  state  variables  and  time  windows. 


3  Planning  and  Scheduling  of  Nuclear  Power  Plant 
Outages 


The  planning  and  scheduling  of  the  operations  involved  in  the  outages  of  nuclear  power 
plants  has  a  great  impact  in  terms  of  the  outage  costs  (replacement  power,  labor  cost, 
etc.),  use  of  scarce  resources  and  implementation  of  safety  procedures.  Prior  to  1979, 
before  the  accident  at  Three  Mile  Island  (TMI),  refueling  was  the  driving  factor  of 
outages  of  nuclear  power  plants:  maintenance  plans  were  governed  by  the  projected 
duration  of  refueling  activities.  After  the  TMI  accident,  the  focus  turned  to  improving 
nuclear  power  plant  effectiveness.  The  duration  of  an  outage  was  determined  not  only 
by  refueling  activities,  but  by  the  v/ork  and  plant  modifications  required  to  make 
the  plant  safer  and  more  effective  [PSDI  94,  V/allace  90].  Throughout  the  1980s, 
backfits  and  the  aging  of  nuclear  power  plants  has  reversed  outage  scope  priorities 
and  methodologies.  Often  the  refueling  activities  no  longer  dictate  the  critical  path 
in  an  outage. 
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3.1  Definition  of  Problem 


The  problem  of  planning  and  scheduling  nuclear  power  plant  outages  can  be  stated 
as  follows: 


Given  a  set  of  outage  activities  (refueling  operations,  repairs,  modifica¬ 
tions,  and  maintenance  activities),  a  set  of  resources,  and  a  set  of  techno¬ 
logical  constraints,  assign  times  and  resources  to  the  activities  in  such  way 
that  the  completion  of  the  outage  is  minimized  while  safely  performing  all 
the  activities  required  by  the  outage. 


3.1.1  Activities 

Depending  on  the  planning  and  scheduling  procedures  of  each  particular  plant,  as  well 
as  the  scope  of  the  activities  performed  during  the  outage,  the  planning  and  scheduling 
of  outages  for  nuclear  power  plants  might  involve  from  15,000  up  to  45,000  activities. 
During  an  outage  several  activities  are  performed,  such  as: 

•  Refueling  operations 

•  Plant  betterment 

•  Preventive  maintenance 

•  Corrective  maintenance 

•  Technical  specification  requirements  for  inspections  or  surveillance. 

Relationships  between  activities  that  are  explicitly  defined  in  work  order  activities 
are  temporal  relationships  (e.g.,  activity  A  precedes  (follows)  activity  B).  Other 
constraints  between  activities  arise  as  a  result  of  different  requirements  in  terms  of 
feasible  plans  and  schedules.  Requirements  regarding  feasible  plans  and  schedules  are 
outlined  in  the  next  paragraphs. 


3.1.2  Plant  Configuration  and  Risk  Management 

The  general  principle  underlying  the  outage  procedures  is  that  outages  should  be  as 
short  as  possible,  maintaining  the  appropriate  level  of  nuclear  safety.  In  other  words, 
the  outage  should  be  planned  and  managed  to  reduce  shutdown  risks  through  the 
appropriate  consideration  of  defense  in  depth  and  preventive  measures.  The  concept 
of  defense  in  depth,  used  for  the  purpose  of  managing  risk  during  shutdown  consists 
of: 


4 


•  providing  systems,  structures  and  components  to  ensure  backup  of  key  safety 
functions  using  redundant,  alternate  or  diverse  methods; 

•  planning  and  scheduling  outage  activities  in  a  manner  that  optimizes  safety 
system  availability 

Main  safety  functions  and  systems  components  that  are  monitored  to  implement  the 
concept  of  defense  in  depth  are: 


•  electricity  power  control  system 

•  primary  and  secondary  containment 

•  fuel  pool  cooling  system 

•  inventory  control 

•  reactivity  control 

•  shutdown  cooling 

•  vital  support  systems 

Figure  1  depicts  the  decision  tree  regarding  safety  levels  for  a  simple  safety  function, 
electricity  power  control. 


3.1.3  Resources 

The  main  type  of  resource  taken  into  consideration  when  planning  and  scheduling 
nuclear  power  plant  outages  is  labor,  organized  into  different  skill  groups.  Other 
resources  that  are  considered  include: 


•  reactor  building  crane 

•  laydown  areas 

•  water  purification  and  storage  systems 

•  radioactive  waste  system 

•  specialized  equipment 


ROAMN  does  not  include  resource  assignment. 


5 


>=:  3  GREEN 
2  YELLOW 

1  ORANGE 
0  RED 

>=  3  YELLOW 

2  ORANGE 
<=  1  RED 


4  YELLOW 
3  ORANGE 
<=2  RED 


3  YELLOW 
2  ORANGE 
<=1  RED 


4  YELLOW 
3  ORANGE 
<:=  2  RED 


4  ORANGE 
<=  3  RED 


Figure  1:  Safety  Function  -  Electricity  Power  Control 

4  Outage  Planning  and  Scheduling  in  the  Real 
World 


There  are  approximately  110  nuclear  plants  operating  in  the  US.  Our  knowledge  about 
the  way  outage  planning  and  scheduling  is  performed  in  real  world  environment  only 
considers  the  power  plant:-;  that  are  members  of  EPRI,  the  Electric  Power  Research 
Institute.  Nevertheless,  we  consider  our  sample  representative  since  most  of  the  op¬ 
erating  nuclear  power  plants  are  members  of  EPRI,  with  some  notable  exceptions  like 
Florida  Power  and  Pacific  Gas  &  Electric. 
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4.1  Time  Window  Assignment 


The  current  automatic  planning  and  scheduling  techniques  used  by  the  utilities  are 
very  simple  -  planning  and  scheduling  still  heavily  relies  on  the  experience  of  the 
manual  schedulers  rather  than  on  automatic  procedures.  In  the  late  1970s,  utilities 
began  to  use  the  project  management  techniques  to  control  nuclear  refueling  outages. 
Current  automatic  approaches  to  outage  scheduling  mainly  consist  of  the  applica¬ 
tion  of  automatic  project  management  techniques,  such  as  PERT  and  CPM  tech¬ 
niques.  The  software  currently  used  by  the  utilities  to  perform  their  outage  planning 
and  scheduling  tasks  are  mainly:  Primavera  Project  Planner  for  Windows  (personal 
computers),  Project/2  (mainframes),  Project2/X  for  Windows  (personal  computers). 
Prestige  (mainframes)  and  OpenPlan  (personal  computers). 

Some  sites  use  activity  based  scheduling  only.  Activities  (work  orders)  and  temporal 
relationships  between  activities  are  coded  into  the  software^  and  a  PERT/CPM 
network  is  generated.  The  PERT/CPM  network  can  then  be  manually  perturbed  to 
meet  resource  requirements,  safety  requirements,  and  other  requirements. 

When  system  windows  are  used  for  scheduling,  milestones  and  key  events  are  set  up 
based  on  experience  and  the  status  of  key  components  between  the  milestones  deter¬ 
mines  the  position  of  the  system  windows.  The  activities  (work  orders)  are  manually 
assigned  to  the  system  windows  where  they  are  allowed  to  be  performed  within  the 
scope  of  the  predecessor-successor  relationships.  Pert/CPM  network  is  generated 
considering  the  activities,  the  pre-defined  system  windows  and  the  milestones.  The 
Pert / CPM  network  can  then  be  manually  perturbed  to  meet  resource  requirements, 
safety  requirements  and  other  requirements. 


4.2  Plant  Configuration  and  Risk  Management 

Safety  and  risk  assessment  have  been  by  far  manual  processes  which  call  on  the 
expertise  of  the  personnel  involved  to  make  decisions  based  on  published  policies 
and  procedures.  In  order  to  ensure  that  the  sequence  of  activities  performed  during 
an  outage  follows  the  safety  requirements,  the  schedule  produced  using  PERT/CPM 
software  tools  is  evaluated  using  a  risk  assessment  methodology.  If  the  schedule  does 
not  meet  the  safety  requirements,  manual  adjustments  have  to  be  performed.  ORAM 
(Outage  Risk  Assessment.  Methodology)  ia  one  of  the  most  popular  software  tools 
used  to  perform  the  risk  assessment  of  schedules.  It  simulates  the  execution  of  the 
schedule  keeping  track  of  the  configuration  of  the  plant  at  any  time  and  therefore 
evaluating  the  risk  inherent  to  a  schedule  at  any  time  during  its  execution. 

^Actually,  the  only  type  of  temporal  relationship  handled  by  the  current  software  is  the  relation¬ 
ship  before/after  with  the  possibility  of  definition  of  slacks. 
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4.3  Resources 


During  automatic  generation  of  schedules  resources  are  assumed  to  be  unlimited. 
Manual  adjustments  are  performed  a  posteriori  in  order  to  meet  the  resource  require¬ 
ments. 


5  ROMAN  -  Rome  Lab.  Outage  Manager 

roman’s  approach  combines  a  constraint  satisfaction  paradigm  with  global  search 
and  constraint  propagation  [Gomes  &  Smith  96].  ROMAN  includes  all  the  technolog¬ 
ical  constraints  currently  incorporated  in  the  automatic  tools  used  by  the  utilities  for 
schedule  generation.  In  addition,  it  includes  all  the  constraints  regarding  the  safety 
function  AC  power.  Other  safety  functions  could  be  modeled  in  a  similar  way.  A 
top  level  formal  specification  of  the  outage  problem  including  the  safety  function  AC 
power  follows:^ 


function  :  safe- outage- windows  (^activities) 
returns{schedule  \ 

Consistent- Activity-Separation{schedule)  A 
Consistent- AC-power (schedule)  A 
All-activities-scheduled (activities,  schedule)) 


In  this  formulation  activities  correspond  to  the  set  of  activities  to  be  performed. 
Each  activity  has  a  given  duration,  a  set  of  predecessors,  and  a  set  of  effects  on 
resources.  The  schedule  is  a  partial  order  of  activities.  Activities  in  the  schedule 
have  time  windows  assigned  to  it.  A  time  window  defines  the  earliest  start  time 
(est)  and  latest  start  time  (1st)  of  an  activity,  such  that  the  activity  can  start  at 
any  time  during  the  window  without  increasing  the  overall  duration  of  the  project. 
Given  the  duration  of  the  activity,  the  earliest  finish  time  (eft)  and  latest  finish 
time  (Ift)  can  be  calculated.  The  predicate  Consistent-Activity-Separation(schedule) 
states  that  all  the  activities  in  the  schedule  satisfy  the  precedence  constraints.  The 
predicate  Consistent-ac-power(schedule)  states  that  the  schedule  verifies  the  safety 
constraints,  from  an  AC  power  point  of  view.  As  a  completeness  condition,  the  predi¬ 
cate  All-activities-scheduled  (activities,  schedule)  states  that  all  the  activities  have  to 
be  scheduled. 

The  notion  of  state  of  the  plant  is  a  key  concept  in  enforcing  safety  constraints.  In 
outage  management  the  state  of  the  plant  is  measured  in  colors  —  green,  yellow, 
orange  or  red,  in  this  order  of  increasing  risk  —  and  is  computed  by  considering 

^We  modeled  the  AC  power  safety  function  as  a  proof  of  concept.  Other  safety  functions  could 
be  modeled  in  a  similar  way. 
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complex  decision  trees  regarding  safety  levels  as  illustrated  in  Figure  2.  For  instance, 
if  there  is  an  activity  being  executed  that  has  the  potential  to  cause  AC  power  loss, 
then  in  order  for  the  plant  to  be  in  a  yellow  state  it  is  required  to  have  two  off-site 
AC  power  sources  available  and  three  operable  emergency  safeguard  buses. 


>=  3  GREEN 
2  YELLOW 

1  ORANGE 
0  RED 

>=  3  YELLOW 

2  ORANGE 
<=  1  RED 


4  YELLOW 
3  ORANGE 
<=2  RED 


3  YELLOW 
2  ORANGE 
<=1  RED 


4  YELLOW 
3  ORANGE 
<=2RED 


4  ORANGE 
<=3RED 


Figure  2:  Example  of  a  decision  tree  for  the  safety  function  AC  Power 

Since  the  start  times  of  activities  are  defined  over  time  windows,  we  introduce  two 
concepts  regarding  the  execution  of  an  activity:  the  definite  period  and  the  potential 
period  oi  an  activity,  fhe  definite  period  of  an  activity  corresponds  to  the  period  of 
time  during  which  the  activity  is  definitely  being  execute  —  it  is  the  interval  of  time 
between  the  latest  start  time  of  the  activity  {1st)  and  its  earliest  finish  time  (eft). 
The  potential  period  of  an  activity  corresponds  to  the  period  of  time  during  which 
the  activity  may  be  executed  —  it  is  the  time  period  between  the  earliest  start  time 
of  the  activity  (est)  and  its  latest  finish  time  (Ift).  Figure  3  illustrates  the  notion  of 
definite  period  of  an  activity.  Notice  that  activity  A  does  not  have  a  definite  period, 
since  its  earliest  finish  time  is  before  its  latest  start  time. 
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<  <  >  >  A 

est  eft  1st  1ft 

<  > — <  >  B  <  > - <  >  C 

est  1st  eft  1ft  est  1st  eft  1ft 

<  > - <  >D  <> — <>  E 

est  1st  eft  1ft  est  1st  eft  1ft 


-  definite  period 

Figure  3:  Notion  of  a  definite  period. 

In  addition,  we  define  two  other  concepts:  definite  state  of  the  plant  and  potential 
state  of  the  plant.  The  definite  state  of  the  plant  is  associated  with  the  concept  of 
definite  period:  it  represents  the  state  of  the  plant  for  a  given  safety  function  (e.5'., 
AC  power)  assuming  that  activities  are  only  executed  during  their  definite  period. 
The  concept  of  potential  state  of  the  plant  is  associated  with  the  concept  of  potential 
period  of  an  activity:  it  represents  the  state  of  the  plant  for  a  given  safety  function 
assuming  that  activities  are  executed  during  the  whole  extension  of  their  potential 
periods.  The  potential  state  of  the  plant  is  always  “equal”  or  “greater”  than  the 
state  of  the  plant  since  the  definite  period  of  an  activity  tends  to  underestimate  the 
duration  of  activities  while  the  potential  period  of  an  activity  tends  to  overestimate 
the  duration  of  activities.  Figure  4  gives  an  example.  Note  that  during  certain  time 
intervals,  the  definite  and  potential  states  of  the  plant  coincide. 


5.1  Search  and  Control  Mechanisms 

KIDS  provides  algorithmic  transformations  that  add  control  and  search  mechanisms 
to  a  given  specification.  The  search  tactic  selected  for  the  outage  problem  was  global 
search  {see  next  section).  Figure  5  summarizes  the  approach  adopted  in  ROMAN 
[Gomes  &:  Smith  96]. 

Initially  global  search  is  applied  to  the  formal  specification  of  the  outage  problem 
in  order  to  generate  a  schedule,  assuming  the  definite  period  of  activities.  Since  the 
notion  of  definite  period  tends  to  underestimate  the  duration  of  the  activities,  it  is  very 
likely  for  the  schedule  produced  in  this  initial  phase  not  to  be  feasible  from  the  point 
of  view  of  the  potential  state  of  the  plant.  In  order  to  enforce  the  safety  threshold 
for  the  potential  state  of  the  plant  at  any  time  during  the  outage,  “refinement”  of 
the  time  windows  of  the  initial  schedule  takes  place.  In  the  next  section,  we  describe 
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Figure  4:  Definite  and  potential  states  of  the  plant. 


global  search  theory. 


5.1.1  Global  Search  Theory 

Global  search  [Smith  87,  Smith  et  al  95]  is  a  backtrack  algorithm,  a  refinement  of 
generate-and-test.  The  tactic  is  implemented  by  finding  a  space  containing  all  the 
solutions  to  the  problem  that  can  be  divided  into  nested  subspaces.  The  global 
search  algorithm  starts  with  an  initial  set  that  contains  all  the  solutions  to  the  given 
problem  instance,  repeatedly  extracts  solutions,  splits  sets,  and  eliminates  subsets 
using  propagation,  until  no  sets  remain  to  be  split.  The  process  can  be  described  as  a 
tree  search  in  which  a  node  represents  a  set  of  candidates,  and  an  arc  represents  the 
split  relationship  between  a  set  and  a  subset.  The  principal  operations  are  to  extract 
candidate  solutions  from  a  set  and  to  split  a  set  into  subsets.  The  derivation  of 
efficient  cutting  constraints  that  eliminate  subspaces  that  do  not  contain  any  feasible 
solution  is  an  important  complementary  operation  in  the  derivation  of  the  global 
search  tactic. 

Figure  6  illustrates  the  global  search  theory  for  the  initial  scheduling  of  the  activities 
considering  their  definite  periods.  In  this  global  search  theory  the  initial  subspace 
descriptor  (pattiai  ich:.dc«le)  is  the  empty  sequence  (empty  schedule).  SpltUing  cor¬ 
responds  to  appending  an  unscheduled  activity,  with  a  given  time  wiiidow,  to  the 
partial  schedule.  Cutting  corresponds  to  propagating  the  constraints  over  the  time 
windows  of  the  activities  in  the  partial  schedule.  Notice  that  cutting  makes  the  time 
windows  shrink.  It  can  also  split  a  time  window  as  in  the  case  of  activity  G  -  due 
to  propagation,  activity  G's  window  was  split  into  two.  As  we  can  see  from  figure  6 
most  of  the  work  in  this  global  search  theory  is  performed  by  constraint  propagation. 
Splitting  corresponds  to  just  selecting  the  next  activity  to  schedule,  using  a  heuristic 
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Figure  5:  ROMAN’S  approach 

that  favors  shorter  schedules^.  Extraction  takes  place  when  all  the  activities  have 
been  scheduled. 

The  operator  extract  corresponds  to  the  second  global  search  algorithm.  Refinement 
of  time  windows  takes  place  if  after  applying  the  initial  global  search  to  the  outage 
problem  the  potential  state  of  plant  does  not  satisfy  the  safety  requirements.  In  other 
words,  refinement  of  time  windows  is  required  to  enforce  the  safety  constraints  over 
the  potential  period  of  all  the  activities  in  the  initial  schedule.  This  is  achieved  by 
applying  a  new  global  search  to  the  formal  specification  of  the  outage  considering  now 
with  as  input  the  schedule  generated  in  the  initial  phase.  In  this  second  phase  the 
windows  of  the  activities  that  contribute  to  the  contention  periods,  i.e.,  the  periods  in 
which  the  potential  state  of  the  plant  is  above  the  safety  threshold,  are  systematically 
reduced  until  the  potential  state  of  the  plant  becomes  consistent  from  the  safety 
point  of  view  for  all  the  times  during  the  outage.  In  this  global  search  theory  for 
the  refinement  phase  splitting  corresponds  to  reducing  the  size  of  the  windows  of  the 
activities  involved  in  the  contention  periods. 


5.1.2  Constraint  Propagation 

One  of  the  important  features  of  our  approach  is  the  propagation  of  constraints. 
Figure  7  illustrates  the  concept,  where  psched  is  a  partial  schedule,  a  set  of  candidate 
solutions,  a  node  of  the  global  search  tree.  The  following  test  states  that  a  partial 

^We  also  define  a  topological  sort  of  the  unscheduled  activities  according  to  their  levels.  An 
activity  has  level  0  if  it  has  no  predecessors.  Activities  that  only  have  as  predecessors  activities  of 
level  0  have  level  1.  Activities  of  level  2  only  have  as  predecessors  activities  that  have  level  0  or  1, 
etc. 
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Figure  6:  Global  search  theory  for  the  Outage  Problem 
schedule  can  be  extended  to  a  complete  feasible  schedule:^ 


3  (sched)  {sched  e  psched  A  feasible{sched,  activities))  (1) 

However,  this  test  is  in  general  too  expensive,  computationally.  Instead,  we  derive 
necessary  conditions  for  (1),  filters,  i.e.: 

3(sched){sched  €  psched  A  feasible{sched,  activities)  ^{sched,psched)) 

(2) 

The  next  step  consists  in  incorporating  the  filter  derived  in  (2)  into  psched,  i.e.: 

({psched)  \/{sched){sched  e  psched  ^{sched, psched))  (3) 

The  test  ({psched)  holds  when  all  the  candidate  solutions  in  psched  satisfy  The 
main  issue  is,  when  a  given  psched  does  not  satisfy  (,  how  can  we  incorporate  ( 
into  pschedl  The  answer  is  to  find  the  greatest  refinement  of  psched,  psched  ,  that 
satisfies  (. 

^In  the  particular  case  of  the  outage  problem,  {sched  €  psched)  ■<=:>  (domain{psched)  C 
domain{sched)  A  V(i)i  G  domain{psched))  psched{i).est  <  sched{i).st  <  psched{i).lst) 

and  feasible{sched,  activities)  {consistent-separation{sched)  A  consistent-acp{sched))  A 

aU-activities-scheduled{activities,  sched)) 
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Figure  7:  Cutting  Constraints 


psched  =  maxz}{qsched  \  psched qsched  A  ({x,qsched)}  (4) 

which  asserts  that  psched^  is  maximal  over  the  set  of  descriptors  that  refine  psched 
and  satisfy  with  respect  to  ordering  □.  We  want  psched  to  be  a  refinement  of 
psched  so  that  all  of  the  information  in  psched  is  preserved  and  we  want  psched ^he 
maximal  so  that  no  other  information  than  psched  and  ^  is  incorporated  into  psched. 

The  refinement  relation  pschedj  □  pschedi  holds  when  the  completions  of  pschedi 
are  a  subset  of  the  completions  of  pschedj. 

KIDS  instantiates  a  program  scheme  for  global  search  with  constraint  propagation, 
incorporating  C  For  more  detail  on  propagation  in  KIDS  see  [Smith  et  al  95].  The 
challenge  in  order  to  take  advantage  of  the  propagation  mechanisms  provided  in  KIDS 
lies  in  finding  ^  -  even  though  KIDS  provides  a  tactic  to  synthesize  propagation  code 
incorporating  the  derivation  of  ^  using  the  system  relies  on  lemmas  supplied  by 
the  user  which  are  derived  manually. 

In  the  case  of  the  outage  problem,  the  predicate  Consistent- Activity-Separation{schedule) 
states  that  all  the  activities  in  the  schedule  satisfy  the  precedence  constraints.  The 
derivation  of  cutting  constraints  from  the  constraint  Consistent-Activity-Separation 
using  formulas  (2)  and  (3)  leads  to  the  well  known  constraints  on  est  and  1st,  as  used 
in  PERT.  Appendix  A  has  the  formal  derivation  of  constraints  from  the  constraint 
Consistent- Activity-Separation . 

The  derivation  of  cutting  constraints  for  Consistent- ACP  is  less  straightforward.  Ap¬ 
pendix  B  has  the  formal  derivation  of  constraints  from  the  constraint  Consistent- Activity- ACP . 
An  example  of  a  constraint  manually  inferred  from  Consistent- ACP  applying  formu¬ 
las  (2)  and  (3)  follows: 


W{i,tl,t2,act) 

i  €  domain{se{psched))  A  tl  =  se{psched){i).time  A  t2  =  se{psched){i  -f-  l).tiTne 
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act  €  domain{psched)  A  sacpl'l{tl,psched)  A 

unav-sources{tl,psched)  =TSACPL  A  affects-avail-acps? {act,psched) 
==^  psched{act).lft  <t\  M  psched{act).est  >  t2 


Where  se[psched)  computes  the  state  events  of  the  partial  schedule  considering  the 
definite  periods  of  activities.  A  state  event  corresponds  to  any  event  that  affects  the 
state  of  the  plant.  The  time  of  the  ith  state  event  of  the  partial  schedule  is  repre¬ 
sented  by  se(psched)(i).time,  the  predicate  sacpU{t^  sched)  tests  if  at  time  t  the  plant 
is  in  a  state  of  AC  power  loss,  unav-sources{t,psched)  =  T  SAC  PL  tests  if  at  time 
t  the  number  of  unavailable  AC  power  resources  equals  the  threshold  for  AC  power 
resource  unavailability  for  a  state  of  AC  power  loss,  affects-avail-acpsi{act^psched) 
tests  if  the  activity  act  affects  an  available  AC  power  resource,  and  psched[act).lft 
and  psched{act).est  correspond  respectively  to  the  latest  finish  time  and  earliest  start 
time  of  the  activity  act  of  the  partial  schedule  psched.  This  constraint  triggers  prop¬ 
agation  for  the  activities  that  affect  available  AC  power  resources  —  propagation 
eliminates  from  the  activities’  time  windows  the  periods  that  overlap  the  intervals 
that  correspond  to  a  state  of  AC  power  loss  with  number  of  unavailable  AC  power 
resources  equal  to  T  SAC  PL  (the  threshold).  In  other  words,  a  new  activity  that 
affects  available  AC  power  resources  cannot  occur  during  a  period  for  which  the  plant 
is  operating  at  the  threshold  regarding  the  AC  power  safety  function. 


5.1.3  Interaction  Between  The  Schedule  and  the  State  of  Plant 

A  main  principle  embodied  in  our  approach  is  incremental  computation  -  propaga¬ 
tion  illustrates  that  concept  -  whenever  a  new  activity  is  scheduled,  all  constraints 
are  immediately  propagated  over  the  schedule.  Finite  differencing  is  another  transfor¬ 
mation  that  allows  for  incremental  computation,  by  efficiently  maintaining  the  state 
of  plant.  Roughly,  the  idea  behind  finite  differencing  is  to  incrementally  evaluate  an 
expensive  expression  in  a  loop,  rather  than  recomputing  it  from  scratch  each  time.  As 
an  example,  let  us  assume  that  function  f[x)  calls  function  g{x)  and  that  x  changes 
in  a  regular  way.  In  this  case,  it  might  be  worthwhile  to  create  a  new  variable,  whose 
value  is  maintained  and  which  allows  for  incremental  computation.  By  abstracting 
function  /  with  respect  to  expression  g{x)  a  new  parameter  c  is  added  to  /’s  param¬ 
eter  list  (now  c  g[x)  is  added  as  a  new  input  invariant  to  /.  Any  call 

to  /,  v/hethei  a  recursive  call  within  /  or  an  external  call,  must  now  be  changed  to 
supply  the  appropriate  new  argument  that  satisfies  the  invariant  -  f{x)  is  changed  to 
f(x,g{x)).  In  this  process  all  occurrences  of  g{x)  are  replaced  by  c.  Often,  distribu¬ 
tive  laws®  apply  to  g(h{x))  yielding  an  expression  of  the  form  h'{g{x))  and  so  h'(c). 

®Laws  are  assertions  that  define  axioms  or  theorems,  i.e.,  statements  that  are  always  true.  An 
assertion  is  simply  a  true  statement  -  an  example  of  a  law  is  (A  -f-  5)  *  C  =  (A  *  C)  -f  (B  *  C),  or  ( 
A  and  B  — >  A).  The  idea  is  to  provide  information  on  how  to  distribute  predicates  and  functions 
over  the  main  constructors  of  the  variable  that  changes  in  a  regular  way,  exactly  in  the  same  way 
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The  real  benefit  in  the  optimization  comes  from  the  last  step,  because  this  is  where 
the  new  value  of  the  expression  g{h{x))  is  computed  in  terms  of  the  old  value  of  g{x). 
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Figure  8:  Interaction  between  the  schedule  and  the  state 

In  the  outage  problem  there  are  several  opportunities  for  finite  differencing  since 
the  state  of  the  plant  is  a  function  of  the  schedule  represented  by  the  constraint 
consist ent-acp {schedule).  Figure  8  shows  the  interactions  between  the  state  of  plant 
and  the  schedule  -  when  a  new  activity  is  scheduled,  it  impacts  the  schedule  and 
propagation  is  triggered.  Changes  in  the  schedule  impact  the  state  of  the  plant, 
which  is  incrementally  maintained  by  finite  differencing.  Changes  in  the  state  impact 
the  schedule  and  propagation  is  triggered,  which  impacts  the  schedule  and  so  on. 
The  key  issue  to  take  advantage  of  finite  differencing  is  to  provide  good  laws  on  how 
to  distribute  the  functions  to  be  finite  differenced  over  the  main  constructors  of  the 
partial  schedule,  e.g.,  over  appending  an  activity  to  the  schedule,  increasing  the  est 
of  an  activity,  etc. 

Appendix  A  and  appendix  B  contain  the  formal  derivation  of  cutting  constraints 
from  the  separation  constraint  and  from  the  ACP  constraint,  respectively.  Appendix 
C  contains  the  domain  theory  for  the  outage  problem  considering  the  separation 
constraints  and  the  constraints  for  ACP.  Appendix  D  contains  the  global  search  theory 
for  scheduling  considering  the  definite  period  of  activities  as  well  as  the  global  search 
theory  for  time  window  refinement  that  takes  into  consideration  the  potential  period 
of  activities. 


6  Performance  Results 


The  current  version  of  ROMAN  was  completed  in  November  1995,  and  it  has  been 
demonstrated  to  several  large  nuclear  power  plants  such  as  American  Electric  Power 
Service,  Baltimore  Gas  &  Electric,  PECO  Energy,  etc.  The  demonstration  was  suc¬ 
cessful,  and  EPRI,  a  consortium  of  more  than  90%  of  the  utilities  in  the  US,  is  looking 

one  would  write  a  law  about  how  to  distribute  multiplication  over  addition.  Additionally,  laws  also 
specify  special  cases,  for  instance  when  dealing  with  base  cases  (c.g.,  empty  sequences). 
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Figure  9:  Time  performance 


into  using  the  approach  embodied  in  ROMAN  to  build  the  next  generation  of  outage 
scheduling  tools  —  referred  to  as  Advanced  Technology  Outage  Scheduler. 

ROMAN  has  proven  successful  since  it  clearly  extends  the  current  functionality  offered 
by  existing  software  tools  for  outage  management.  All  the  technological  constraints 
currently  used  for  automatic  schedule  generation  are  incorporated  into  the  system. 
In  addition,  ROMAN  produces  schedules  enforcing  safety  constraints  —  AC  power 
was  used  as  a  proof  of  concept. 

The  current  version  of  ROMAN  schedules  up  to  2,000  activities  in  approximately  1 
minute  on  a  Sparc  2  (see  figure  9).  The  schedules  produced  by  ROMAN  are  often 
better  than  the  current  solutions  since  many  new  possibilities  are  explored  compared 
to  manual  solutions.  Human  schedulers  tend  to  aggregate  tasks  and  schedule  them 
as  blocks  rather  than  exploring  interesting  possibilities  that  occur  when  the  activities 
are  scheduled  separately. 

A  key  feature  of  ROMAN  that  utility  personnel  find  attractive  is  the  robust  schedules 
that  are  generated.  The  current  scheduler  generates  a  schedule  that  includes  start 
time  windows  for  each  task.  Choosing  any  start  time  within  the  window  for  a  task 
still  permits  feasible  execution  of  the  schedule.  The  window  provides  information 
about  how  critical  the  start  time  for  a  task  is  -  if  a  predecessor  task  is  delayed,  a 
user  can  decide  whether  there  still  enough  freedom  in  the  start  time  window  to  allow 
on-time  completion,  or  whether  it  is  time  to  reschedule  parts  of  the  overall  operation. 

ROMAN  currently  comes  configured  with  a  GUI  that  displays  an  interactive  Gantt 
chart  for  tasks,  showing  their  start  time  window,  duration,  task  description,  and 
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predecessors.  Another  Gantt  chart  shows  the  history  of  the  state  of  the  plant  with 
respect  to  AC  power. 


7  Conclusions  and  Future  Work 


ROMAN  has  successfully  demonstrated  that  outage  schedules  that  satisfy  safety  con¬ 
straints  can  be  automatically  generated  [Gomes  L  Smith  96].  To  develop  ROMAN 
into  a  practical  tool  requires  (1)  handling  a  richer  model  of  the  outage  domain,  and 
(2)  faster  code.  To  date  we  have  focused  on  one  particular  safety  function  dealing 
with  maintaining  adequate  sources  of  AC  power.  Future  work  is  planned  to  deal  with 
larger  and  more  realistic  problems,  as  well  as  with  other  critical  safety  constraints  and 
scheduling  scarce  resources  such  as  heavy  lifts  and  skilled  personnel.  Furthermore, 
we  plan  to  experiment  other  search  strategies,  in  particular  local  search  strategies. 
A  more  ambitious  goal  involves  the  automatic  generation  of  schedules  considering 
different  levels  of  risk. 
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Appendix  A  -  Derivation  of  Constraints  from 
the  Separation  Constraint 


Derivation  of  r) 

The  derivation  of  cutting  constraints  involves  two  steps. 

The  first  step  consists  of  deriving  necessary  conditions  for  the  feasibility  of  a  solution 
z  contained  in  a  space  descriptor  r,  i.e.: 

W{x  :  D,r  :  R,  z  :  R){Satisfies{z,r)  A  0(x,z)  ^(a:,z,  r))  (5) 

The  second  step  consists  of  making  sure  that  the  space  descriptors  (themselves)  satisfy 
the  necessary  conditions  for  containing  feasible  solutions,  i.e.: 

r)  'i{z  :  R){Satisfies{z,r)  ==^  ^(x,z,  r))  (6) 

In  the  following  section  we  describe  the  derivation  of  ^(x,  f)  for  the  safety  constraint 
designated  by  Consistent-Separation. 

Satisfies  and  Outuput  Condition  for  the  Outage  Problem 
Conventions: 

•  psched  -  partial  schedule 

•  sched  -  schedule 

Def  :  Satisfies{sched, psched) 

domain{psched)  C  domain{sched)  A 
V(<) 

i  €  domain(psched)) 

psched{i).est  <  sched{i).st  <  psched{i).lst 

Def  :  0 {acts,  psched) 

consistent-separation{sched)  A 
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consistent- acp{sched))  A 
aU-activities-scheduled{acts^  sched) 


Derivation  of  Cutting  Constraint  for  Separation 

Given  the  following  definition  for  a  separation  constraint: 

Def  :  consist€nt-separation{sched) 

i  G  domain{sched)  A  j  G  domain(^sched[i).pred) 

sched(i).st  >  sched{i).pred{j).st  +  sched{i).pred[j). duration 


Since; 


{A  ^  B)  h  {B  ^  B') 

(1^=^  B') 

And  by  definition  of  Sat: 

sched{i),st  >  sched{j),st  +  sched{j) .duration 
psched[i).lst  >  sched[i).pred{j).st-]r 
sched{i).pred[j). duration 

And  since: 

sched{i).pred{j). duration  =  psched{i).pred{j). duration 
And  Assuming: 

sched{i).pred{j)  =  sched[j) 
psched{i).pred[j)  =  psched{j) 
schtd{i).pred[j). duration  =  sched(j). duration 
psched{i).pred{j). duration  =  psched{j). duration 


V(Ai) 

i  G  domain{psched)  A  j  G  domain{psched{i).pred) 

psched{i).lst  >  sched[j)st  +  psched{i). duration 


Which  corresponds  to  a  cutting  constraint,  derived  from  consistent-separation{sched)).^ 

^As  we  will  show  below,  another  cutting  constraint  can  be  derived  from 
consistent-stparation{sched). 


Instantiation  of  ^  for  the  cutting  constraint  for  consistent-separation{sched)). 


({x,f)  'i{z  :  R){Satisfies{z,f)  =»  r))  (7) 

{  Satisfies{z,r)  A  0{x,z))  (8) 

In  the  outage  problem,  the  expressions  for  Satisfies{z,r)  and  ^{x,z,f)  (for  the 
consistent-separation)  are: 


Def  :  Satisfies[sched,psched) 

domain{psched)  C  domain{sched)  A 

V(i) 

i  €  domain{psched)) 

psched{i).est  <  sched{i).st  <  psched{i).lst 


Def  :  ‘^{acts,sched,psched)  (for  the  consistent- acp) 

V(i,i) 

i  €  domain(psched)  A  j  €  domain{pschtd{i).pred) 

psched{i).lst  >  Sched{j).st  +  psched{j). duration 


Combining  both  we  can  instantiate  ^{act,psched)  i.e., 


({act,psched)  \/(sched){Satisfies{sched,psched) 


'^{act,  sched, psched)) 

(9) 


Def  :  ^{act, psched) 

'i[sched) 

domain{psched)  C  domain{sched)  A 

V(i) 

i  €  domain{psched)) 

psched{i).est  <  sched{i).st  <  psched{i).lst 

==^  W{kJ) 

k  €  domain(psched)  A  j  €  domain(psched(k).pred) 
psched{k).lst  >  sched{j).st  psched{j). duration 
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Since:  A  A  B  C 


A 


B  => 


C 


V{sched) 

domain{psched)  C  domain{sched) 

V(i) 

i  6  domain(psched)) 

==^  psched{i).esi  <  sched[i).st  <  psched[i).lst 

V{k,j) 

k  €  domain{psched)  A  j  €  domain{psched{k).pred) 
psched{k).lst  >  sched{j).st  +  psched{j). duration 


Since:  j  £  domain{psched{i).pred)  C  domain{psched) 


'i[sched) 

domain{psched)  C  domain[sched) 

^  V(i) 

i  €  domain(psched)) 

=>  psched(i).est  <  sched(i).st  <  psched(i).lst 
V(A:,j) 

A;  6  domain(psched)  A  j  £  domain{psched)  A  j  £  domain{psched{k).pred) 
psched{k).lst  >  sched(j).st  +  psched{j). duration 


Since:  A  A  B  C 


A  B  C 


V{sched) 

domain{psched)  C  domain{sched) 

v(0 

i  £  domain{pschtd)) 
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>  psched{i).est  <  sched{i).st  <  psched{i).lst 

=>  V(j) 

j  G  domain{psched) 

y{k) 

k  G  domain{psched)  A  A  j  G  domain{psched{k).pred) 
=>  psched(k).lst  >  sched{j).st  +  psched{j). duration 


Since:  V(/i:)/^  G  5  =>  P(i^) 

==^ 

\I{K)K  es  A  T(K)  g(/0 

\/{K)K  eS  ^  P{K)  Q{K) 


\/{sched) 

domain{psched)  C  domain[sched) 

=4-  V(i) 

i  G  domain{psched)) 

psched{i).est  <  sched{i).st  <  psched{i).lst 

V(t) 

k  G  domain(psched)  A  A  e  G  domain(psched[k).pred) 
psched{k).lst  >  sched{i).st  -\-  psched{i). duration 


\/{sched) 

domain(psched)  C  domain{sched) 

=*■. 

i  G  dow,ain{psched)) 

=>•  pschedii) ,est  <  sched{i).st  <  psched(i).lst 

=>  vw 

G  domain(psched)  A  A  i  G  domain{psched{k).pred) 
psched{k).lst  >  sched{i).st  +  pschedii). duration 


Since:  A  J3  =>  C 


25 


A  A  B  C 


\/(sched) 

domain(psched)  C  domain{sched) 

=4-  V(i) 

i  €  domain{psched)) 

psched{i).est  <  sched{i).st  <  psched{i).lst 
A\/{k) 

k  €  domain[psched)  A  A  i  E  domain(psched{k).pred) 

psched{k).lst  >  sched{i).st  +  psched[i). duration 


Since:  A  {B  A  C) 


{A  A  B)  C 


W{sched) 

domain(psched)  C  domain[sched) 

=>  V(i,  k) 

i  G  domain(psched))  A  k  E  domain{psched) 

A  i  G  domain{psched{k).pred)  A  psched{i) .est  <  sched(i).st 
=>  sched(i).st  <  psched{i).lst 

psched{k).lst  >  sched{i).st  +  psched{i). duration 


\/(sched) 

domain(psched)  C  domain[sched) 

i  G  domain(psched))  A  &  G  domain(psched) 

A  i  G  domain(psched(k).pred)  A  psched(i).est  <  sched(i).st 
sched{i).st  <  psched{i).lst 

sched{i).st  <  psched(k).lst  —  psched{i). duration 


Replacing  sched  with  qsched: 
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domain[qshed)  =  domain(psched) 
V(a)  a  €  domain{qshed) 

qsched{a)  =  sched[a) 
(Assuming  that  each  activity  has  the 
index  in  psched,  qsched,  and  sched) 

Since:  [A'  A)  A  (A  =>  B) 

{A'  =»  B) 


W{qched) 

domain{psched)  C  domain{qsched) 

i  G  domain(psched))  A  k  £  domain{psched) 

A  i  G  domain{psched(k).pred)  A  psched(i).est  <  qsched{i).st 
qsched[i).st  <  psched(i).lst 

==^  qsched{i).st  <  psched(k).lst  —  psched{i). duration 


Since:  V(m)  5(m) 


V(a)  a  G  domain{m)  A  r(a) 

=>  {m{a)  <  p{a)  =>  m{a)  <  q{a)) 


S{p)  A  V(a)  a  G  domain[p)  A  T'(a) 

(p(a)  <  q{a) 


W{i,k) 

i  G  domain{psched))  A  k  ^  domain{psched) 

A  i  G  domain{psched{k).pred) 

psched{i).lst  <  psched(k).lst  —  psched{i). duration 


<=> 


27 


i  €  domain{psched))  A  k  ^  domain{psched) 

A  ^  €  domain{psched{k).pred) 

psched[i). 1st  +  psched[i). duration  <  psched{k).lst 


Since: 


psched(i).lst  +  psched{i). duration  =  psched{i).lft 


V(z,fc) 

i  €  domain{psched))  A  €  domain[psched) 
A  i  domain{psched(k).pred) 

==>  psched{i).lft  <  psched{k).lst 


Since:  j  €  domain[psched{i) .pred)  C  domain{psched) 


V(a  A:) 

A:  G  domain{psched) 

A  i  £  domain{psched{k) .pred) 

psched{i).lft  <  psched{k).lst 


i 
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Appendix  B  -  Derivation  of  Constraints  from 
the  ACP  constraint 


Derivation  of  f) 

The  derivation  of  cutting  constraints  involves  two  steps. 

The  first  step  consists  of  deriving  necessary  conditions  for  the  feasibility  of  a  solution 
z  contained  in  a  space  descriptor  r,  i.e.: 

V(x  :  D,f  :  R,  z  :  R)(Satisfies{z,  f)  A  0{xjz)  r))  (10) 

The  second  step  consists  of  making  sure  that  the  space  descriptors  (themselves)  satisfy 
the  necessary  conditions  for  containing  feasible  solutions,  i.e.; 

({x,r)  ^^=4^  ^{z  :  R){Satisfies{z,f)  =>  $(x,z,  f))  (11) 

In  the  following  section  we  describe  the  derivation  of  ^(x,  r)  for  the  safety  constraint 
designated  hy  AC  Power. 

Satisfies  and  Outuput  Condition  for  the  Outage  Problem 
Conventions: 

•  es(sched)  -  event  sequence  -  sequence  of  events  of  sched 

•  sacpll{t^  sched)  -  is  the  state  a  state  of  acp  loss,  at  time  t  given  sched? 

•  avacpr{t,  sched)  -  number  of  acp  resources  available,  at  time  t,  given  sched 

•  AC  PR  -  set  of  ACP  resources 

•  av't{x,t,  sched)  funav'!{x,t,  sched)-  is  resource  x  available  (unavailable)  at  time 
t,  given  sched? 

•  affects7{x,y)  does  activity  x  affect  resource  y? 

Def  :  Satisfies  {sched,  psched) 

domain{psched)  C  domain{sched)  A 
V(e  :  i  €  domain{psched)) 

psched{i).est  <  sched{i).st  <  psched{i).lst 
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Def  :  0{acts,pscked) 

consistent-separation{sched)  A 
consistent-acp(sched))  A 
all-activities-scheduled  [acts,  sched) 


Derivation  of  Cutting  Constraint  for  AC  Power 

Given  the  following  definition  for  a  safety  constraint  for  AC  Power: 


Def  :  consistent-acp (sched)) 

i  G  domain(es(sched))  A  ti  —  es(sched)(i)  A  t2  =  es(sched)(i  +  1) 
=>  sacpn(t,  sched) 

=>  avacpr(<  ti,t2  >,  sched)  >  T' 


Since:  A  B  =>  C 
A  A  B  C 


i  G  domain(es(sched))  A  ti  =  es(sched)(i)  A  t2  =  es(sched)(i  +  1) 
A  sacpP.(t,  sched) 

avacpr(<  ti,t2  >, sched)  >  T' 


Since:  avacpr(<  ti,<2  >,  sched)  >  T' 

unavacpr(<  t\,t2  >,  sched)  <  TAG  PR  —  T'  —  T) 


V(i,ti,t2) 

i  G  domain(es(sched))  A  ti  =  es{sched)(i)  A  <2  =  es(sched)(i  +  1) 
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A  sacpll{t,sched) 

==^  unavacpr{<  ti,t2 


>,  sched)  <  T 


Since.  1  ^  ^ 


V(fi) 

RC  S  A  |-R|  =  T  A  Z)j;eRAF(x) I  —  T  A 
V(j/)  y  e  SIR 

-P{y) 


i  G  (iomazn(e5(5c/iec?))  A  =  es{^sched){i^  A  t2  =  es{sched)[i  +  1) 

A  sacpll{t,  sched) 

=>  V(i?)i2  C  AC  PR  A  \R\  =  T  A  ExeR  A  wnav?(a:,<<i  ^  ^ 

A  V(«/)  y  €  ACPRfR 

avl{y,<ti,t2  >1  sched) 


Since:  avl{y,  <ti,t2>,  sched) 


V(i)  j  e  domain{sched)  A  affects‘!{j,y) 
->  during{j,  <  ti,t2  >) 


<=^ 


y{i,tijt2) 

i  G  domain{es(^sched))  A  ti  =  e5(5c/ie<i)(i)  A  “  e5(5c/ie(j?)(i  +  1) 

A  sacpU{t,  sched) 

- >■  V(i?)il  C  AC  PR  A  ji?!  =  T  A  Ex6R  a  unavl(x,<ti,t2>,sched)  ^  —  T 

A  V(y)  y  G  AC* Pi?/ P 

V(j)  j  €  domciiTi^sched)  A  Oiffectsli^j^y) 

-'during{j,  <  ii,?2  >) 
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Substituting  -'during{j,<  ti,t2  >) 


4=> 

i  £  domain{es{sched))  A  ti  =  es(sched){i)  A  t2  =  cs{sched){i 1) 

A  sacpn(t,sched) 

y{R)R  c  ACPR  A  |i?l  =  r  A  E.eR  A  unavl (x j<ti  jt2'> iSched)  ^  ^ 

A  V(y)  y  G  ACPRfR 

\/(j)  j  £  domain(sched)  A  affectsl{jjy) 

=>  sched{j).ft  <  ti  V  sched{j).st  >  t2 


Since:  A  jB  C 
4=^ 

A  A  B  (7 


> - 

>! - r 


V(i,tl,f2) 

i  G  domain{es(sched))  A  =  es{sched){i)  A  t2  =  es{sched)(i  +  1) 
A  sacpn{t,sched)  A  y{R)RCACPR  A  |E|  =  T  A 
Exes  A  1  =  A  V(y)  j/  G  ACPi^/i? 

A  \/{j)  j  £  domain(sched)  A  affects'l{j^y) 
sched{j).ft  <  V  sched{j).st  >  t2 


Pulling  out  all  the  quantifiers: 


ti,  ^2)  -Bj  y)  i 

i  £  domain[es(sched))  A  =  es(sched){i)  A  ^2  =  es{sched){i  +  1) 

A  j  G  domain{sched)  A  C  ACPR  A  |i?|  =  T  A 
EieK  A  unau?(x,<ti,t2>,sc/ie(i)  1  =  7"  A  y  G  ACPRfR 

A  sacpn(t,sched)  A  affects‘?{j,y) 

==>  sched{j).ft  <  ti  V  sched{j).st  >  t2 
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Since:  {A'  =4*  A)  A  {A  B) 
(>!'  B) 


And:  (assuming  that  each  activity  has  the 

same  index  in  psched  and  sched) 
domain{psched)  C  domain{sched) 

domain{es{psched))  C  domain{es (sched)) 

V(i)  i  6  domain(psched)  A  pes(psched){i) 
==>  pes{psched)(i)  C  es(sched)(i) 

V(ii,t2)  unavl(x,<ti,t2  >, psched) 

=>  unavl(x,<  ti,t2  >,  sched) 


R,y) 

i  £  domain(pes(psched))  A  ti  =  pes{psched){i)  A  ^2  =  pes(psc/ied)(z  +  1) 
Aye  domain{psched)  A  i?  C  ACPR  A  |i2|  =  T  A 

SajgH  A  unavT{x,<.ti,t2'>, psched)  ^  ^  A  J/  €  AC P Rj R 

A  sacpn(t, psched)  A  affectsl(j,y) 

sched(j).ft  <  V  sched(j).st  >  t2 


Replacing  <ti,t2>  with  <  UB,LB  >C<  ti,t2  >,  where: 

given  a  generic  time  t  (ti  or  ^2),  act  the  corresponding 
activity  that  triggers  that  event  at  time  t,  type-event  =  s 
if  the  event  corresponds  to  the  start  of  act, type-event  =  f 
otherwise: 


UB  = 

If  type- event  =  s 
Then  act. 1st 
Else  act.lft 
(Notice  that  UB  >  ti) 


LB  = 
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If  type-event  =  s 
Then  act.est 
Else  act.eft 
(Notice  that  LB  >  ^2) 


And  since: 

{A  B)  A  {B  B') 
B’) 


i  €  domain{pes{psched))  A  ti  =  pes{psched)(i)  A  ^2  =  pes{psched){i  +  1) 
A  j  G  domain{psched)  A  RC  AC  PR  A  |i?|  =  T  A 

SxgH  A  unavT {x ,<ti  ,t2> tpsched)  ^  ^  A  2/  €  ACPRfR 

A  sacpP.{t,psched)  A  affects1[j,y) 

sched{j).ft  <  UB  V  sched{j).st  >  LB 


Which  corresponds  to  the  cutting  constraint,  derived  from  consistent-acp(sched)). 

Instantiation  of  ^  for  the  cutting  constraint  for  consistent-acp{sched)). 

^(x,r)  y{z  :  R) {Satisfies {z,r)  r))  (12) 

In  the  outage  problem,  the  expressions  for  Satisfies{z,r)  and  '^{x,z,r)  (for  the 
consistent- acp)  are: 

Def  :  Satisfies{sched,psched) 

domain{psched)  C  domain{sched)  A 
V(<) 

i  €  domain{psched) 

psched{i).est  <  sched{i).st  <  psched{i).lst 


Def  :  'tl>{acts,sched,psched)  (for  the  consistent- acp) 
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V(i, ii, ^29^9 -^9 2/)  T  i\ 

%  G  domain{pes[psched))  A  ti  =  pes[psched){i)  A  ^2  =  pe5(p5c/lea)(^  +  1) 
A  j  G  domain{psched)  A  i?  C  AC  PR  A  |i?l  =  T  A 
Y1x£R  Aunav?(x,  1  =  T  A  !,  €  ACPfi/H 

A  sacpn{t,psched)  A  affectsl(j,y) 
y  schcdi^j^.ft  <C.  U B  V  schcdi^j') .st  ^ 


Combining  both  we  can  instantiate  ^{act,psched)  i.e., 


^[act,psched)  4=^  \/(^sched)[Sa,tisfies{sched,psched) 


^  (act,  sched,  psched)) 
(13) 


Def  :  ^{act, psched) 


\/{sched) 

domain{psched)  C  domain{sched)  A 

v(0 

i  €  domain{psched) 

=>  psched(i).est  <  sched{i).st  <  psched{i).lst 

>'  V(fc,  tl,  ^25  J/)  j\/; 

k  G  domain{jpes{jpschtd))  A  ti  =  pes[psched){k)  A  t2  =  pes{psched)[k  + 
A  j  G  domain{psched)  A  i?  C  AC  PR  A  |/?|  =  T  A 

Y^xeR  A  unavT{x,  <tut2>, psched)  1  -  r  A  J/  G  ACPRjR 
A  sacpU{t, psched)  A  affectsl{j,y) 

sched{j).ft  <  UB  V  sched{j).st  >  LB 


1) 


Since:  A  A  B  C 

yi  B  C 


y^sched) 

domain{psched)  C  domain{sched) 

v(0 

t  G  domain{psched) 

psched{i).est  <  sched{i).st  <  psched{i).lst 
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=>  -R,  2/) 

k  G  domain{pes{psched))  h  ti=  pes{psched){k)  A  ^2 
A  j  £  domain[psched)  A  RQ  AC  PR  A  \R\  =  T  A 

A  unav?(x,  <,„fe>„.cW)  1  =  r  A  » €  ACPB/B 
A  sacpn{t,psched)  A  affects^.  {j,y) 

sched{j).ft  <UB  y  sched{j).st  >  LB 


Rearranging  quantifiers 


\/[sched) 

domain{psched)  C  domain{sched) 

v(0 

i  G  domain[psched) 

psched{i).est  <  sched{i).st  <  psched{i).lst 
=>  y(j)  j  G  domain(psched)  A 

y{k,U,h,R,y) 

k  G  domain[pes[psched))  A 

ti  =  pes{psched){k)  A  t2  =  pes{psched){k  +  1) 

arc  acpr  a  \r\  =  t  a 

A  unav'!{x,<ti,t2>,psched)  ^  ^  V  ^  ACPRj R 

A  sacpUit^psched)  A  affects"? {j,y) 

sched{j).ft  <  UB  V  sched{j).st  >  LB 


Since:  A  A  B  C 


A 


B  C 


y[sched) 

domain[psched)  C  domain[sched) 

^  v(0 

i  G  domain(psched) 

psched{i).est  <  sched(i).st  <  psched{i).lst 
==^  Vf?)  7  G  domain(psched) 

^  V{k,h,h,R,y) 

k  G  domain{pes{psched))  A 


pes{psched){k  +  1) 


1 

4 
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=  pes{psched){k)  A  ^2  —  pes{psched'){k  +  1) 

^  RC  AC  PR  A  \R\=T  A 

Exefi  A  unavn.,<tuH>,psched)  1  =  T  A  J/  €  ACPR/R 
A  sacpll {t , psched)  A  o,ffectsl{j,y) 

— ^  sched(^j).ft  <  J7J3  V  sched(^j).st  >  LS 


Since:  V(K)/i:  €  5  P(/^) 

v(p:)p'  €  5 

y{K)K  eS  P{K)  =4  Q{K) 


4=4- 

y^sched) 

doTna,in{psched)  C  domaini^sched) 

=4-  V(i) 

i  G  domain{psched) 

psched{i).est  <  sched{i).st  <  psched{i).lst 

y{k,ti,t2,R,y) 

k  G  domain{pes{psched))  A 

=  pes{psched)\k)  A  <2  =  pes{psched){k  +  1) 

A  i?  C  ACPP  A  jPl  =  r  A 

v  /  w^l  =  PA^/e  ACPRjR 

l^xeR unavl(x,<ti,t2>,psched)  ^  \ 

A  sacpU{t,psched)  A  affectsl{i,y) 

— >•  sched{i').ft  <.  UB  V  sched(i).st  >  PP 


Since:  A  B  ==^  C 
4=^ 

A  /\  B  C 


y(^sched) 

doTnaifi^jpsched)  C  domaini^sched) 

=4-  V(i) 

z  G  domain{psched) 
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psched{i).est  <  sched{i).st  <  psched{i).lst 
A  \/{k,ti,t2,R,y) 
k  €  domain{pes{psched))  A 
ti  =  pes{psched){k)  A  <2  =  pes{psched){k  +  1) 
ARC  ACPR  A  |i?|  =  r  A 

IZxgJi  A  unavl{x,<ti,t2>,psched)  ^  —  T  ^  2/  G  AC P Rj R 

A  sacpU{i,psched)  A  affects‘!{i,y) 

sched[i).ft  <  UB  W  sched{i).st  >  LB 


Since: 


A  =>  [B  A  C) 
{A  A  B)  C 


\/(sched) 

domain{psched)  C  domain[sched) 

V(0 

i  G  domain{psched)  A 

y{k,ti,t2j,  R,y) 

k  €  domain{pes{psched))  A 

ti  =  pes{psched){k)  A  t2  =  pes{psched){k  +  1) 

A  RC  ACPR  A  |i?|  =  r  A 

A  unav'!{x,<ti,t2>,psched)  ^  —  T  A  y  €.  AC PRj R 
A  sacpU{t,psched)  A  affectsl{j^y) 
sched{i).st  <  psched{i).lst 

psched{i).est  <  sched{i).st 

sched{i).ft  <  UB  y  sched{i).st  >  LB 


Treating  one  disjunct: 


y{sched) 

domaini^psched)  C  domain[sched) 

y{i) 

i  G  domain{psched)  A 

R,y) 

k  €  domain{pes{psched))  A 
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ti  —  pes{psched){k)  A  t2  =  pes{psched){k  +  1) 

A  RC  ACPR  A  |i?|  =  r  A 

'I2x^R  a  unav'!{x,<ti,t2>,psched)  ^  ^  ^  2/  ^  AC P Rf R 

A  sacpl1{t,psched)  A  affectsl{j,y) 
sched{i).st  <  psched{i).list 

psched{i).est  <  sched{i).st 
LB  <  sched{i).st 


Replacing  sched  with  qsched: 

domain{qshed)  =  domain{psched) 

V(a)  a  €  domain{qshed) 

=4*  qsched{a)  =  sched{a) 

(Assuming  that  each  activity  has  the 
same  index  in  psched,  qsched,  and  sched) 

Since:  {A'  ==4-  A)  A  {A  B) 

=4’ 

[A!  =4>  B) 


\/{qsched) 

domain{psched)  C  domain{qsched) 

^v(i) 

i  6  domain{qschtd))  A 

R,y) 

k  €  domain{pes{psched))  A 

<1  =  pes{psched){k)  A  <2  =  pes{psched){k  +  1) 

A  RCACPR  A  |R|  =  rA 

A  unav'!{x,<ti,t2>, psched)  ^  —  T  A  J/  €  AC PRj R 

A  sacpU{t, psched)  A  affects'! {j^y) 
qsched(i),st  <  psched(i)Jst 
=4'  pschedHj.esi  qsched(i).st 
=4  i/B  <  sched{i).st 


Since:  V(m)  S{m) 

V(a)  a  €  domain(m)  A  T{a) 

(p(a)  <  m(a)  =4  q{a)  <  m{a)) 
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S{p)  A  V(a)  a  €  domain{p)  A  T{a) 

(9(a)  <p(o)) 


v(0 

i  €  domain{psched)  A 

k  €  domain{pes{psched))  A 

=  pes{psched){k)  A  ^2  =  pes{psched){k  +  1) 

A  i?  C  AC  PR  A  li^l  =  r  A 

A  unav1(x,<t\,t2>,psched)  ^  ^  ^  D  ^  ACPRjR 

A  sacpll{t,psched)  A  affectsl{j,y) 

=4*  <  psched{i).est 


Treating  the  second  disjunct: 


\/{sched) 

domain{psched)  C  domain{sched) 

V(i) 

i  G  domain{psched)  A 
V(fc)  ti5  ^2  j  2/) 

A:  G  domain{pes(psched))  A 

ti  =  pes{psched){k)  A  i2  =  pes{psched){k  +  1) 

A  i?  C  ACPi?  A  |i?|  =  T  A 

Srefl  A  unav^{x,<tl,i2>,p3ched)  1  —  ^  A  J/  G  AC PRj R 
A  sacpn{t,psched)  A  affects7{j^y) 

psched{i).est  <  schtd{i).st  | 

=>•  schtd{i),st  <  psched(i).lst  | 

sched{i).ft  <  UB  \ 

Since:  sched{i).ft  <UB 

I 

sched{i).st  <UB  -  sched(i). duration  j 
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y{sched) 

domain{psched)  C  domain{sched) 

v(0 

i  6  domain{psched)  A 

y{k,ti,t2j,R,y) 

k  €  domain{pes{psched))  A 

=  pes{psched)lk)  A  ^2  =  pes{psched){k  +  1) 

A  C  ACPi?  A  li?|  =  T  A 

A  unavt (x ,<ti ,t2> ,psched)  ^  ^  ^  2/  ^  AC P Rj R 

A  sacpll{t,psched)  A  affectsT{j,y) 
psched{i).est  <  sched{i).st 

sched{i).st  <  psched{i).lst 

sched{i).st  <UB  -  sched{i). duration 


Replacing  sched  with  qsched: 

domain{qshed)  =  domain{psched) 

V(a)  a  €  domain{qshed) 

==^  qsched{a)  =  sched{a) 

(Assuming  that  each  activity  has  the 
same  index  in  psched,  qsched,  and  sched) 


Since:  {A!  =>■  A)  A  (A 


[A'  B) 


B) 


\/(qsched) 

domain[psched)  C  domain{qsched) 

v(0 

i  €  domain{qsched))  A 

'^{k,ti,t2j,R,y) 

k  €  domain{pes{psched))  A 

=  pes{psched){k)  A  ^2  =  pes{psched){k  +  1) 

A  P  C  ACPR  A  |P1  =  r  A 

I!)a:eR  A  unav'>(x,<tut2>,psched)  1  =  P  A  t/  €  ACPRIR 

A  sacpll{t, psched)  A  affectsl{j,y) 
psched{i).est  <  qsched{i).st 

qsched{i).st  <  psched{i).lst 

qsched{i).st  <UB  -  q$ched{i). duration 
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Since:  V(m)  S{m) 


V(a)  a  €  domain{m)  A  T{a) 

(m(a)  <  p[a)  ==>•  m(a)  <  q{a)) 


S{p)  A  V(a)  a  €  domain{p)  A  T(a) 

=*■  (p(“)  s  ?(ii) 


V(i) 

i  €  domain{psched)  A 

R,y) 

k  €  domain{pes{psched))  A 

=  pes{psched){k)  A  ^2  =  pes{psched){k  +  1) 

A  RCACPR  A  li2|=rA 

Scgjl  A  unav7(x,<ti,t2>,psched)  ^  ^  ^  2/  €  AC P Rf R 

A  sacpU(t,psched)  A  affects1{j^y) 

psched{i).lst  <  UB  —  pched{i). duration 


Since:  psched{i).lst  <  UB  —  pched{i). duration 


psched{i).lft  <  UB 


V(i) 

z  €  domain{psched)  A 

A;  e  domain{pes{psched))  A 

=  pes{psched){k)  A  <2  =  pts{psched){k  +  1) 

A  RCACPR  A  |i?|=rA 

2a;6il  A  unav'!{x,<ti,t2>,psched)  ^  ^  2/  ^  AC PRf R 

A  sacpn{t,psched)  A  affects7{j,y) 
psched{i).lft  <  UB 
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Appendix  C  -  Domain  Theory  for  the  Outage 
Problem 


! !  in-package ("RE") 

!!  in-grammar  ('THEORY-GRAMMAR,  'REGROUP) 
THEORY  SAFE-OUTAGE 

./, - 

THEORY-IMPORTS  {} 

./. - 

THEORY-TYPE-PARAMETERS  {} 

I - 

THEORY-TYPES 


-  Basic  Types  - 

type  time  =  integer 

type  quantity  =  integer 

type  state-res  =  symbol 

type  acploss-i  =  integer  '/,(0  -  yes  ;  1  no) 

type  list-av-ress  =  set (state-res) 

type  set-of-acts-acploss  =  set (activity) 

type  state-type 

=  tuple (acploss?:  acploss-i, 
num-unav-ress :  integer, 
unav-res-map :  map(symbol,  set(symbol)) , 
list-av-ress : set (state-res) ) 

type  st-bist-map  =  map (time,  state-type) 

'/,  dependent  on  the  input  data 

constant  *initial-state-map*:  st-hist-map 

=  {|0  ->  <  1,  0,  {||},  {  'divl,  'div2,  'div3,  'div4,  'sulO,  'su20  }>|} 
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type  pred-succ-act 

=  tuple(id:  symbol,  lag:  integer,  tie:  symbol) 

'/, -  Activity  - 

type  activity  =  tuple (act -name  :  symbol, 

predecessors  :  seq(pred-succ-act) , 
duration  :  integer, 
est  :  integer, 

1st  :  integer, 

St  :  integer, 
ft  :  integer, 
effect-set:  set (symbol) 


) 


Schedule 


type  sched  =  seq(activity) 

'/, - State  Related  Types  and  Constants 


constant  *acp-sources*  :  map(  symbol  ,  seq(symbol)) 
=  {|  ’on-site  ->  [  'divl,  ’div2,  ’div3,  ’div4], 
'off-site  ->  [  'sulO,  ’su20  ], 

'control-variable  ->  [  'acploss]  1} 


•/. - - - 

THEORY-OPERATIONS 

•/. - - - 

y,  resources  are  assumed  to  be  unlimited 

Vo - Top  Level  Functions - ^ — 

function  pos-safe-outage 
(def-sched:  seq(activity) 

I  size (def-sched)  >  0 

&  Consistent-Activity-Separation-EST(def-sched) 
&  Consistent-Activity-Separation-LST(def-sched) 

&  Consistent-ac-power-propl (def-sched, 
construct-state-map-def (def-sched)  ) 

&  Consistent-ac-power-prop2 (def-sched , 
construct-state-map-def (def-sched)  )) 
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returns  (schedule:  seq(activity) 

I  consistent-ac-power(schedule) 

&  All-act ivities-scheduled(def-sched,  schedule))*/,  completeness 


function  safe-outage-windows 

(activities:  seq(activity) I  size(activities)  >  0) 
returns  (schedule:  seq(activity)  I 
Consistent-Activity-Separation-EST(schedule)  & 
Consistent-Activity-Separation-LST( schedule)  & 
Consistent-ac-power(schedule)& 

All-activities-scheduled(activities,  schedule))'/,  completeness 


Consistent  Activity-Separation 


function  Consistent-Activity-Separation-EST 
(schedule  :  seq(activity) ) 

:  boolean 

=  fa  (i  :  integer,  j  : integer,  act  :  activity) 

(i  in  [1  ..  size(schedule)] 

&  j  in  [1  . .  size(schedule(i) .predecessors)] 

&  act  =  get-activity(schedule,  schedule(i) .predecessors(j)) 

&  defined? (act) 

=>  (act.est  +  act. duration  +  schedule(i) .predecessors(j) .lag) 
<=  schedule(i) .est) 


function  Consistent-Act ivity-Separation-LST 
(schedule  :  seq(activity)) 

:  boolean 

=  fa  (i  :  integer,  j  : integer,  w:  integer) 

(i  in  [1  ..  size (schedule)]  & 
j  in  [1  . .  size(schedule(i) .predecessors)]  & 

w  =  get-activity-index (schedule,  schedule(i) .predecessors(j) . 1) 

=>  (scheduled)  .1st  -  schedule (w)  .duration  >=  schedule (w)  .1st  )) 


•/,*/.'/.*/,'/,'/,*/,*/,*/,'/,'/,y,y,y.y//.y//.y.y.7.y//////.y.y/^^  consistent  Ac-Power 


function  Consistent-ac-power 
(  schedule:  sched)  :  boolean 
=  let  (state-hist-map:  st-hist-map 
=  construct-state-map (schedule)) 
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fa  (tl: integer) 

(tl  in  domain (state-hist-map) 

=>  state-hist-map(tl) .num-unav-ress 

<=  (1  +  state-hist-map(tl) .acploss?)) 


y.y.my.y;////mx///x////////m  state-of-piant  y//.y//.y.y.y.y////.yj//.y.y.y.y.y////.y.y.y.y.yj//;///////.% 


function  Construct-state-map (schedule:  sched) 

:  st-hist-map 

=  construct-state-map-aux (schedule,  *initial-state-map*) 


function  Construct-state-map-aux(schedule:  sched,  init-st-hist :  st-hist-map) 
:  st-hist-map 
=  if  empty (schedule) 
then  init-st-hist 

else  if  empty(first (schedule) .effect-set) 

then  construct-state-map-aux(rest (schedule) ,  init-st-hist) 
else  construct-state-map-aux(rest (schedule) , 

init-st-hist  +*  add-act-map(first (schedule) , 
first (schedule) . effect-set , 
first (schedule) . st , 

first (schedule) .ft,  init-st-hist)) 


function  add- act -map 
(act:  activity, 
list-effects:  set (symbol), 
tl:  time,  t2:  time, 
state-hist-map:  st-hist-map) 

:  st-hist-map 
=  if  tl  >=  t2 
then  { I  I } 

else  (let  (start-event-map:  st-hist-map 
=  add-event-map-seq(act , list-effects , 
tl,  t2,  state "hist -map)) 
st  art “ event-map 

+*  add-event-map(act , list-effects,  t2,  'f, 
state-hist-map  +*  start-event-map)) 


function  fd-def-app 

(act:  activity,  ps:  seq(activity) , 
list-effects:  set(symbol). 
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tl:  time,  t2:  time, 
state-hist-map:  st-hist-map) 

:  st-hist-map 
=  if  tl  >=  t2 
then  { I  I } 

else  *call-def*  <-  append (*call-def*,  <act,  tl,  t2,  'app>); 
(let  (start -event -map:  st-hist-map 
=  add-event-map-seq(act , list-effects, 
tl,  t2,  state-hist-map)) 
start-event-map 

+*  add-event -map (act, list-effects,  t2,  'f, 
state-hist-map  +*  start -event -map)) 


function  fd-def-ext-est 

(ind:  integer,  ps:  seq(activity) , 
list-effects:  set(symbol), 
tl:  time,  t2:  time, 
state-hist-map:  st-hist-map) 

:  st-hist-map 

=  let  (begin-time:  integer=  max(tl ,ps(ind) .1st)) 

(if  ps (ind). 1st  >=  t2 
then  { I  I } 

else  *call-def*  <-  append (*call-def*,  <ps(ind),  tl,  t2,  ’est>); 
(let  ( start -event -map :  st-hist-map 
=  add-event-map-seq(ps(ind) , list-effects, 
begin-time,  t2,  state-hist-map)) 
start-event-map 

+*  add-event-map(ps(ind) , list-effects ,  t2,  ’f, 
state-hist-map  +*  start-event-map))) 


function  fd-pos-ext-est 

(ind:  integer,  ps:  seq(activity) , 
list-effects:  set (symbol), 
tl:  time,  t2:  time, 
state-hist-map:  st-hist-map) 

:  st-hist-map  */,  returns  all  the  entries  that  changed 
=  if  tl  >=  t2 
then  { I  I } 

else  (let  (start-event-map:  st-hist-map 

=  del-event-map-seq(ps (ind), list-effects,  tl,  t2,  state-hist-map)) 
(start-event-map  +*  add-event-map(ps (ind) , list-effects,  t2,  's, 
state-hist-map  +*  start-event-map))) 


47 


function  fd-pos-ext-lst 

(ind:  integer,  ps:  seq(activity) , 
list-effects :  set (symbol) , 
tl:  time,  t2:  time, 
state-hist-map:  st-hist-map) 

:  st-hist-map  '/,  returns  all  the  entries  that  changed 
=  if  tl  >=  t2 
then  { I  I } 

else  (let  (start -event -map:  st-hist-map 

=  del-event-map-seq(ps (ind) , list-effects,  tl,  t2,  state-hist-map)) 
start -event -map  +*  add-event-map(ps(ind) , list-effects,  t2,  'f, 
state-hist-map  +*  start-event-map)) 


function  fd-def-ext-lst 

(ind:  integer,  ps:  seq(activity) , 
list-effects:  set(symbol), 
tl:  time,  t2:  time, 
state-hist-map:  st-hist-map) 

:  st-hist-map 

=  let  (end-time:  integer®  min((ps(ind) .est  +  ps (ind) .duration) ,  t2)) 
(if  tl  >=  (ps(ind).est  +  ps (ind) .duration) 
then  { I  I } 

else  (let  (start -event-map:  st-hist-map  = 

add-event-map-seq(ps(ind) , list-effects, 
tl,  end-time,  state-hist-map)) 

(if  end-time  =  t2  &  t2  ps(ind).est  +  ps  (ind)  .duration 
then  start -event -map 

else  (start -event -map  +*  add-event-map (ps (ind) , 
list-effects,  end-time,  'f, 
state-hist-map  +*  start-event-map))))) 


function  add-event-map-seq 
(act:  activity, 
list-effects:  set (symbol), 
tl:  time,  t2:  time. 
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state-hist-map:  st-hist-map) 

:  st-hist-map 

=  let  (seq-time:  seq(integer)= 

sort(  Cxi  (x)  X  in  domain(state-hist-map) 

&  X  >  tl  & 

X  <  t2] ,  lambdaC  al,  a2)  al  <=  a2) , 
event-before:  state-type  = 

get-event-before (tl,  state-hist-map)) 
let  (update-first:  st-hist-map  = 

{|  tl  ->  update-status-start (tl ,  act .act-name, 

event-before, list-effects) |}) 
add-event-map-rec(act ,  list-effects,  seq-time, 

state-hist-map+*  update-first,  update-first) 


function  add-event-map-rec 
(act : activity, 
list-effects:  set (symbol), 
seq-time:  seq(integer) , 
state-hist -map:  st-hist-map, 
init-map:  st-hist-map) 

=  if  empty (seq-time) 
then  init-map 

else  let  (add-first:  st-hist-map  =  add- event -map (act,  list-effects, 
seq-time(l),  ’s  , 
state-hist-map)) 

add-event-map-rec (act,  list-effects,  rest (seq-time) , 
state-hist-map  +*  add-first, 
init-map  +*  add-first) 


•/.*/. 


function  add-event-map 
(act:  activity, 
list-effects:  set(symbol), 
tl:  time,  type-s:  symbol, 
state-hist-map:  st-hist-map) 

:  st-hist-map 

=  (let  (event-before:  state-type 
=  get-event-before (t 1 ,  state-hist-map)) 
if  type-s  =  ^s 
then  -Cl  tl  -> 
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iipda.te~sta,tus”start  (t  1 ,  act.  act  “name,  event  “bef  ore,  list-eff  sets)  I} 
else  {|  tl  -> 

update-status-finish(tl,  act. act -name,  event-before, list-effects) |}) 


%  this  should  be  del-partial-act -map 


function  del-act-map 
(act:  activity, 
list-effects :  set (symbol) , 
tl:  time,  t2:  time, 
state-hist-map:  st-hist-map) 

:  st-hist-map  */,  returns  all  the  entries  that  changed 
=  if  tl  >=  t2 
then  { I  I } 

else  (let  (start -event -map:  st-hist-map 

=  del-event -map-seq(act, list-effects,  tl,  t2,  state-hist-map)) 
if  t2  =  act. 1st  +  act. duration 

then  (start -event -map  +*  add-event-map(act, list-effects,  t2,  'f, 
state-hist-map  +*  start-event-map)) 
else  if  tl  =  (  act.est  +  act .duration) 

then  (start -event -map  +*  add-event-map (act , list-effects,  t2,  's, 
state-hist-map  +*  start -event -map)) 
else  start -event -map  ) 


function  del-event-map-seq 
(act:  activity, 
list-effects:  set (symbol), 
tl:  time,  t2:  time, 
state-hist-map:  st-hist-map) 

:  st-hist-map 

=  let  (seq-time:  seq(integer)= 

sort(  [  X  I  (x)  X  in  domain(state-hist-map) 

&  X  >  tl  & 

X  <  t2] ,  lambda(  al,  a2)  al  <=  a2) , 

event-before:  state-type  =  get-event-before(tl ,  state-hist-map)) 
let  (update-first:  st-hist-map® 

{|  tl  -> 

update-status-finish(tl,  act .act-name,  event -before, list-effects) |}) 
del-event-map-rec(act,  list-effects,  seq-time, 

state-hist-map  +*  update-first,  update-first) 
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function  t-f ind-event-before 

(tl:  integer,  ml:  map (integer, set (integer))) 
:  set (integer) 

=  ml (t-time-bef ore-in-domain (ml ,tl ,  ml(tl))) 


function  t-time-before-in-domain 

(  ml:  map(integer,set(integer)) ,  i-ti:  integer,  i-ti-val:  set(integer)) 

:  integer  = 

let  (val  =  undefined) 

ti-val  =  ml(ti) 

&  ti  <  i-ti 

&  (defined? (val)  =>  ti  >  val) 

— >  val  <-  (val;  ti) ; 
val 


function  del-event-map-rec 
(act : activity, 
list-effects:  set (symbol), 
seq-time:  seq(integer) , 
state -hist -map:  st-hist-map, 
init-map:  st-hist-map) 

=  if  empty(seq-time) 
then  init-map 

else  let  (add-first  :  st-hist-map=  add-event-map(act ,  list-effects, 
seq-time(l),  'f  , 
state-hist-map) ) 

del-event-map-rec (act,  list-effects,  rest (seq-time) , 
state-hist-map  +*  add-first, 
init-map  +*  add-first) 


function  get-event -before 

(tl:  time,  st at e-hist -map:  st-hist-map) 

:  state-type 

=  if  defined? (state-hist-map (tl)) 
then  state-hist-map(tl) 

else  find-event-before(tl,  state-hist-map) 

function  f ind-event-before 

(tl:  time,  state-hist-map:  st-hist-map) 

:  state-type 

=  st  at  e-hi St -map (t ime-bef ore- in-domain ( state-hist-map , 
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tl,  state-hist-mapCtl))) 


function  value-in-interval-map 

(size-def-reserv-m:  map(time,  alpha),  i-ti:  time) 

:  alpha  = 

let  (var  val  =  0,  var  prev-dom-el  =  undefined) 
ti-val  =  size-def-reserv-m(ti) 

&  ti  <=  i-ti 

k  (defined? (prev-dom-el)  =>  ti  >  prev-dom-el) 

— >  (val  <-  (val;  ti-val);  */,  This  is  a  hack  to  avoid  an  early  stop 
prev-dom-el  <-  (prev-dom-el;  ti)); 
val 

function  load-map-equal? 

(ml:  st-hist-map,  m2:  st-hist-map) :  boolean  = 
fa(ti)  (ti  in  domain(ml)  union  domain(m2) 

=>  value-in-interval -map (ml,  ti)  =  value-in-interval-map (m2,  ti)) 


function  time-before-in-domain 

(state-hist-map:  map(time,  state-type),  i-ti:  time,  i-ti-val:  state-type) 
:  time  = 

let  (val  =  undefined) 
ti-val  =  state-hist-map (ti) 

&  ti  <  i-ti 

k  (def ined?(val)  =>  ti  >  val) 

-->  val  <-  (val;  ti) ; 
val 


function  time-after-in-domain 

(  i-ti:  time,  i-ti-val:  quantity, 

def-state-map:  map(time,  state-type)):  time  = 
let  (val  =  undefined) 

ti-val  =  def-state-map(ti) .num-unav-ress  -  def-state-map(ti) .acploss? 
k  ti-val  i-ti-val 
&  ti  >  i-ti 

k  (def ined?(val)  =>  ti  <  val) 

— >  val  <-  (val;  ti) ; 
val 


function  update-status-start  (tl :  time,  a-naone:  symbol, 

state-e-before:  state-type,  1-effects:  set (symbol)) 
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:  state-type 

=  let  (new-acp-status :  integer 
=  (if  'acploss  in  1-effects 
then  0 

else  state-e-before . acploss?) , 

new-num-used-res :  integer 
=  state-e-before.num-unav-ress 
+  size(intersect(l-effects,  state-e-before .list-av-ress) ) , 
new-unav-res-map :  map (symbol , set (symbol) ) 

=  {|  X  -> 

update-res-map(x,  state-e-before.unav-res-map,  a-name,  1-effects) 
I  (x)  X  in  union(domain(state-e-before.unav-res-map) , 

1-effects) |}, 

new-av-list:  set (symbol) 

=  setdiff (state-e-before. list-av-ress,  1-effects)) 

<  new-acp-status, 
new-num-used-res , 
new-unav-res-map, 
new-av-list  > 

function  update-status-finish 

(tl:  time,  a-neime:  symbol,  state-e-before:  state-type, 

1-effects:  set (symbol)) 

:  state-type 

=  let  (new-acp-status:  integer 
=  if  'acploss  "in  1-effects 
then  state-e-before. acploss? 
else  (let  (acts  =  state-e-before.unav-res-map ('acploss)) 
if  defined? (acts) 

&  acts-less-act-named(acts,  a-name)  "=  {} 
then  0 
else  1) , 

new-num-used-res :  integer 
=  size({  X  1  (x:  symbol,  acts) 
acts  =  state-e-before.unav-res-map(x) 

&  defined? (acts) 

&  X  "=  'acploss 

&  acts-less-act-named(acts,  a-neutie)  ~=  {}})  , 

new-unav-res-map :  map(symbol , set (symbol) ) 

=  {1  X  ->  new-acts 

1  (x,  acts,  new-acts)  acts  =  state-e-before .unav-res-map(x) 

&  defined? (acts) 

&  new-acts  =  acts-less-act-named(acts,  a-name) 

&  new-acts  ~=  {}  |}) 

let  (new-av-list:  set (symbol) 
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=  setdiff (*initial-state-map*(0) .list-av-ress , 
domain (new-unav-res-map) ) ) 

<  new-acp-status, 
new-num-used-res , 
new-unav-res-map , 
new-av-list  > 


function  update-res-map 

(res:  symbol,  res-map:  map (symbol, 
1-effects:  set (symbol)) 

:  set (symbol) 

=  if  res  in  1-effects 

then  if  defined? (res-map(res)) 
then  res-map (res)  with  a-name 
else  {a-name} 

else  if  defined? (res-map(res)) 
then  res-map (res) 

else  {} 


set (symbol) ) ,  a-name: 


symbol , 


function  act-named-in?(nm:  symbol,  acts:  set (activity)) :  boolean  = 
ex(actl:  activity) (actl  in  acts  &  actl . act-name  =  nm) 

function  acts— less— act— named(acts :  set(symbol),  nm:  symbol):  set(symbol)  = 
filter(lambda(actl :  symbol)  actl  ~=  nm, 
acts) 


y//////.y//.y////////.y//;/.y.y.y.y.y.y.y.y.  Def-state-of-piant  y//////.y//.y.y.y.y.y.y.y.y.y.y.y.y.y.y.y.y.y. 


function  Construct-state-map-def (schedule :  sched) 

:  st-hist-map 

—  construct-state-map-def —aux (schedule ,  *initial-state-map*) 

function  Construct-state-map-def -aux 

(schedule:  sched,  init-st-hist :  st-hist-map) 

:  st-hist-map 
=  if  empty (schedule) 
then  init-st-hist 

else  if  empty (first (schedule) .effect-set) 

then  construct-state-map-def-aux(rest (schedule) ,  init-st-hist) 
else  construct-state-map-def-aux(rest (schedule) ,  init-st-hist 
+*  add-act-map(first (schedule) , 
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first (schedule) .effect^set, 
first (schedule) .1st, 
first (schedule) .est 
+  first (schedule) .duration  , 
init“st-hist)) 


y.y.y////.y.y.y.y.y.y////.y.y.y*y«y//*y'ny.y.%  pos-state-of-piant  y.y.y.y//.y////.y.y.y.y.y//.y.y.y.y.y.y.y.y.y.y.y. 


function  Construct“Stat6~iiiap“pos (schedule,  sched) 

:  st-'hist-map 

=  construct-state-map-pos-aux (schedule,  *initial-state-map*) 


function  Construct-state-map-pos-aux 

(schedule:  sched,  init-st-hist :  st-hist-map) 

:  st-hist-map 
=  if  empty (schedule) 
then  init-st-hist 

else  if  empty (first (schedule) .effect-set) 

then  construct-state-map-pos-aux(rest (schedule) ,  init-st-hist) 
else  construct-state-map-pos-aux(rest (schedule) ,  init-st-hist 
+*  add-act-map (first (schedule) , 

first (schedule) . effect-set , 
first (schedule) . est , 
first (schedule) .1st 

+  first (schedule) .duration,  init-st-hist)) 

function  longest -highest-poss-excess-interval 
(poss-state-map :  map(time,  state-type)) 

:  tuple (time,  time)  = 
let  (var  best-dom-val  =  undefined, 
var  best-ran-val  =  undefined, 
var  best-aft er-dom-val  =  undefined) 

ti-val  =  poss-state-map(ti) .num-unav-ress  -  poss-state-map(ti) . acploss? 
&  ti-val  >  1 

&  (defined? (best-dom-val) 

=>  ti-val  >  best-ran-val 
or  (ti-val  =  best-ran-val 

&  time-after-in-domain(  ti,  ti-val,  poss-state-map)  -  ti 
>  best-after-dom-val  -  best-dom-val)) 

— >  (best-dom-val  <-  (best-dom-val;  ti) ; 
best-ran-val  <-  (best-ran-val;  ti-val); 
best-after-dom-val 

<-  time-after-in-domain 

(  best-dom-val,  best-ran-val,  poss-state-map)); 
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if  defined? (best-dom-val)  &  defined? (best-after-dom-val) 
then  <best-dom-val,  best-after-dom-val  -  1> 
else  undefined 


function  maximally-poss-act-in-poss-interval 

(sched:  seq(activity) ,  i-ti:  time,  e-ti:  time, 
unav-res:  map (symbol,  set (symbol))) 

:  integer  = 

let  (var  max-poss-act  =  undefined, 
var  max-poss-time  =  undefined, 
var  max-poss-indx  =  undefined, 

sel-resource  =  get-least-committed-res (unav-res) ) 

(enumerate  act  over  unav-res (sel-resource)  do 

let  (  ti:  integer  =  get-activity-index(sched,  act)) 

let  (act-poss-time  =  poss-time-in-interval(sched(ti) ,  i-ti,  e-ti)) 
if  (defined? (max-poss-time)  =>  act-poss-time  >  max-poss-time) 
then  max-poss-act  <-  act; 
max-poss-indx  <-  ti; 
max-poss-time  <-  act-poss-time) ; 

%  format  (true,  selected  resource  :  selected  activity :  ~S" , 

y,  sel-resource,  max-poss-act); 
max-poss-indx 


function  get-least-committed-res (unav-res  :  map (symbol,  set (symbol))) 
:  symbol 

=  first(sort([  x  I  (x)  x  in  domain (unav-res) ] , 
lambda(al:  symbol,  a2:  symbol) 

(size(unav-res(al))  <  size(unav-res(a2))))) 

function  poss-time-in-interval 

(act:  activity,  i-ti:  time,  e-ti:  time):  time  = 
let  (est  =  act , est , 

1st  =  act. 1st, 
dur  =  act .duration) 
let  (eft  =  est  +  dur, 

1ft  =  1st  +  dur) 
if  est  =  1st  then  0 

else  max(min(lft,  e-ti  +  1)  -  max(eft,  i-ti), 
min(lst,  e-ti)  +  1  -  max(est,  i-ti)) 


56 


function  poss-interval-split-time 

(act:  activity,  i-ti:  time,  e-ti:  time):  time  = 
let  (est  =  act.est, 

1st  =  act. 1st, 
dur  =  act .duration) 
let  (eft  =  est  +  dur, 

1ft  =  1st  +  dur) 
let  (max-est  =  max(est,  i-ti), 
min-lst  =  min(lst,  e-ti), 
max-eft  =  max(eft  -  1,  i-ti), 
min-lft  =  rnindft  -  1,  e-ti)) 
if  est  =  1st  then  undefined 
else 

if  min-lst  -  max-est  >=  min-lft  -  max-eft 
then  (max-est  +  min-lst)  div  2 
-  (if  max-est  =  min-lst  &  est  <  max-est 
then  1  else  0) 

else  (max-eft  +  min-lft)  div  2  -  dur 

+  (if  max-eft  =  min-lft  &  eft  <=  max-eft 
then  0  else  1) 


Aii-activities-scheduied  y.y.y.y.y.y.mnny.r/.y.y.y.*m. 

function  All-activities-scheduled 
(activities:  seq(activity) , 
schedule  :  seq(activity)) 

:  boolean 

=  included-activities (activities)  =  included-activities (schedule) 

function  Included-activities (activities  :  seq(activity) ) 

:  set (symbol) 

=  seq-to-set(image(leimbda  (act  :  activity) 

act .act -name, 
activities)) 

Sort  Input  y.y.y.y.y.y.y.y.y////.y//.y////.y.y.yj;///.y.y.y//^ 

function  sort-activities  (activities  :  seq(activity) )  :  seq(activity) 

=  image (lambda(x  :  tuple (activity,  seq(activity)))  x.l, 
sort ( image (lambda(y)  <y,  activities>,  activities), 
sort-criteria) ) 


function  get-level(act  :  activity,  acts  :  seq(activity) )  :  integer 
computed-using 
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empty (act .predecessors)  =>  get-level (act ,  acts)  =  0, 

true  =>  get-level (act , acts)  =  1  +  reduce (lambda (x,y)  if  y  <  x  then  x  else  y, 
image (lambda(y)  get-level(y,  acts), 

image (lambda(x)  get-activity (acts,  x) , 
act .predecessors) ) ) 


function  sort-criteria  (actl  :  tuple (activity,  seq(activity) ) , 


act2  :  tuple (activity,  seq(activity)))  :  boolean 
integer  =  get-level(actl.l,  act 1.2), 
integer  =  get-level (act2 . 1 ,  act2.2), 
integer  =  actl. 1.1st  -  actl.l.est  -  actl . 1 .duration, 
integer  =  act2. 1.1st  -  act2.1.est  -  act 2. 1 .duration) 
if  (keyl-1  <  keyl-2)  then  true 
else  (keyl-1  =  keyl-2)  &  (key2-l  <  key2-2) 


=  let  (keyl-1 
keyl-2 
key2-l 
key2-2 


V  V  V  V  V  V  •/  V  V  */ V  V  V  V  V  V  V  V  V  V  V  V  V  V  V  V  V  Oi 


Misc 


0/  0/ «/  0/  y  y  y  y  y  y  y  y  y  y  y  y  y  y  y  y  y  y  y 
/q  /o  /o  /o  /o  /o  h  h  to  to  to  to  to  to  to  to  to  to  to  to  to  to  to 


function  get-activity 

(activities  :  seq(activity) ,  act-s  :  pred-succ-act) 

:  activity 

=  first (filter(lambda(x;  activity)  x.act-ncune  =  act-s. id,  activities)) 


function  get-activity-index 

(activities  :  seq(activity) ,  name  :  symbol) 

:  integer 

=  some  (indxO  :  integer) 

(indxO  in  domain(activities)  &  name  =  activities (indxO) . 1) 


ymuin  Printing  functions 


function  print-problem-gaunt (prob-acts :  seq(activity) )  = 

(enumerate  act:  activity  over  prob-acts  do 

print-gann.t-line(act ,  act-neime,  act.est,  act.  1st,  act  .duration))  ; 
format  (true,  "‘'9@a''10(aa"10@a"10®a~10(aa~10@a"y," , 

0,  10,  20,  30,  40,  50); 
values  0 


function  print-ascii-gannt(sched:  seq(activity) )  = 
let  (width  =  reduce (max, 

image  (leimbda  (act:  activity)  act.  1st  +  act  .duration, 
sched) ) ) 
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let  (scale-factor  =  if  width  <  100  then  1  else  width  div  100  +  1) 
(enumerate  act:  activity  over  sched  do 
print-gannt-line 
(act  .act-neime, 
act.est  div  scale-factor, 
act. 1st  div  scale-factor, 

max(l,  (act .duration  -  1)  div  scale-factor  +  1))); 

format  (true,  "*'9Qa",  0); 

(enumerate  sn  over  [1  . .  width  div  scale-factor  div  10]  do 
format (true,  "”10®a",  sn  *  10  *  scale-factor)); 

format(true, 

values  0 

function  print-gannt-line (nm:  symbol,  est:  time,  1st:  time,  dur:  time) 
let  (est  =  est  +  1,  '/,  because  zero-based 
1st  =  1st  +  1) 
let  (eft  =  est  +  dur  -  1, 

1ft  =  1st  +  dur  -  1) 
if  est  =  1ft 

then  format  (true,  ""Sa'vQa”'/," , 
nm,  est,  "*") 
elseif  1st  =  est 

then  format  (true,  "~8a”v@a''v, , , '*®a~y," , 
nm,  est,  "<",  1ft  -  1st,  ">") 
elseif  1st  <  eft 

then  format  (true,  "~8a"v@a~v, , , '-®a"v, , , '*Sa”v, , , '-@a"'/,", 

nm,  est,  "(".  1st  -  est,  ")",  eft  -  1st,  "[",  1ft  -  eft,  "]") 
elseif  1st  =  eft 

then  format  (true,  ""8a~v®a”v, , , '-®a"v, , , '-Qa")!" , 
nm,  est,  "(",  1st  -  est,  "X",  1ft  -  eft,  "]") 
else  format  (true,  ""8a~v®a"v, , , '-®a~v, , , '-®a*'v, , , ’-®a~*/,"  , 

nm,  est,  "(",  eft  -  est,  " [" ,  1st  -  eft,  ")",  1ft  -  1st,  "]") 


function  print-ascii-hist 

(hist:  map(time,  state-type),  sched:  seq(activity) ,  scale?:  boolean) 
let  (height  =  reduce(max,  image(lambda  (st:  state-type) 
st .num-unav-ress  -  st.acploss?, 
range (hist))) , 

width  =  reduce (max, 

image(lambda  (act:  activity)  act. 1st  +  act .duration, 
sched))) 

let  (scale-factor  =  if  width  <  100  then  1  else  width  div  100  +  1) 
(enumerate  j  over  [0  . .  height]  do 
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let  (i  =  height  -  j , 
var  this-h  =  0, 
var  ign-ctr  =  0) 

format (true,  ""TQa  ",  i) ; 

(enumerate  k  over  [0  . .  width]  do 
let  (st:  state-type  =  hist(k)) 
this-h  <-  (if  defined? (st) 

then  st .num-unav-ress  -  st.acploss? 
else  this-h) ; 
ign-ctr  <-  ign-ctr  +1; 

if  ign-ctr  =  scale-factor 
then  princ(if  this-h  =  i  then  else  "  "); 
ign-ctr  <-  0) ; 
format(true,  ""'/,")); 

(if  scale?  then 

format (true,  ""9@a",  0); 

(enumerate  sn  over  [1  . .  width  div  scale-factor  div  10]  do 
format (true,  ""lOQa",  sn  *  10  *  scale-factor)); 
format  (true,  ""'/")); 
values 0 


function  print-ascii-gannt-and-poss-hist(sched:  seq(activity) )  = 
print-ascii-gannt(sched) ; 

print-ascii-hist (construct-state-map-pos (sched) ,  sched,  false) 


y.y.y.y.y.y.y.y.yx/.y.nny.y.y.y//x///x///.y.y.  gs  operators  &  functions  y.y.y,y.y.y.y.y.y.y.y.y.y.y.y.y,y.y.y.y. 
y.y.y////.y//.y.y.y.y.y.y.y.y.y.y.  Refinement  order  y.y.y.y.y.y.y.y.y.y.y.y.y.y.y.y.y.y. 


y,  p-sched  refines  to  qsched  ;  p-state-hist  refines  to  q-state-hist 
y  p-state-evs  refines  to  q-state-evs 
y  drs  20ct95:  reversed  the  order  of  1st  inequality 

function  REFINES-TO 

(p-sched  :  sched,  q-sched  :  sched)  :  boolean 
=  (  size(p-sched)  <=  size(q-sched) 

&  fa(i  ;  integer) 

(  i  in  [1  . .  size(p-sched)] 

=>  (p-sched(i) .est  <=  q-sched(i) .est  & 

q-sched(i) .1st  <=  p-sched(i) .1st 

))) 


function  SEQ-SATISFIES 

(p-sched  :  seq(activity) ,  sched  :  seq(activity))  iboolean 
=  ref ines-to (p-sched,  sched) 
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yXVIXVIXVI,yXIXVIXyXVIXVI^^^^^^^^  inferred  Safety  Constraints  VLVIXItVIXVIXIX 


function  Consistent-ac-power-f ilter(  p-schedule:  sched, 
def -state-map:  st-hist-map) 

:  boolean 

=  fa  (tl: integer,  act:  integer) 

(tl  in  domain(def-state-map)  &  act  in  domain (p-schedule)  & 
"empty (p-schedule (act) . effect-set) 

&  "empty (intersect (p-schedule(act) .effect-set, 
def -St at e-map (tl) .list-av-ress)) 

=>  def-state-map(tl) .num-unav-ress  <= 

(1  +  def-state-map(tl) .acploss?)) 


function  Consistent-ac-power-propl(  p-schedule:  sched, 
def-state-map:  st-hist-map) 

:  boolean 

=  fa  (tl: integer,  t2: integer,  act:  integer) 

(tl  in  domain (def-state-map)  k  act  in  domain(p-schedule) 

&  "empty (p-schedule (act) .effect-set) 

&  t2  =  find-time-after(tl,  def-state-map (t 1) ,  def-state-map) 
k  defined? (t2)  k 

def-state-map (tl) .num-unav-ress  =  (1  +  def-state-map (tl) .acploss?)& 

"empty (intersect (p-schedule (act) . effect-set , 
def -St at e-map (tl) . list-av-ress) ) 
k  (p-schedule (act) .est  >  (tl  -  p-schedule(act) .duration)) 

=> 

t2  <=  p-schedule (act) .est  ) 


function  Consistent-ac-power-prop2(  p-schedule:  sched, 

def-state-map:  st-hist-map) 

:  booleein 

=  fa  (tl: integer,  t2: integer,  act:  integer) 

(tl  in  domain(def-state-map)  k  act  in  domain(p-schedule) 
k  "empty (p-schedule (act) .effect-set)& 
t2  =  f ind-time-after(tl ,  def-state-map(tl) ,  def-state-map) 
k  defined? (t 2)  k 
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def-state-map(tl) .num-unav-ress  =  (1  +  def-state-map(tl) .acploss?)& 

"empty (intersect (p-schedule (act) . effect-set , 
def-state-map(tl) .list-av-ress)) 

&  t2  >  p-schedule(act) .1st 

=>  (p-schedule (act) .1st 
<=  tl  -  p-schedule (act) .duration)) 


function  f ind-time-after(tl :  time,  tl-val:  state-type, 

def-state-hist-map:  st-hist-map) 

;  time 

=  let  (val  =  undefined) 
ti-val  =  def-state-hist-map (ti) 

&  ti  >  tl 

&  (defined? (val)  =>  ti  <  val) 

— >  val  <-  (val;  ti); 
val 


Extract 


function  new-activity 

(act-i  :  activity)  :  activity 
=  act-i. ft  <-  act-i. est  +  act-i .duration; 
act-i. st  <-  act-i. est; 
act-i 

function  Extract-schedule 
(ps  :  seq(activity))  :  sched 
=  [  new-activity(ps(i)) 

I  (i: integer) 

i  in  domain(ps)] 


function  excess-poss? 

(int  :  tuple (time,  time))  :  boolean 
=  defined? (int) 


•/.- 
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THEORY-LAWS 


- - - Finite  Difference 

DEFINITE 


assert  DISTRIBUTE-const-def-STATE-map-OVER-EMPTY 
fa  0 

(construct-state-map-def ( [] )  =  *initial-state-map*) 

assert  DISTRIBUTE-const-def-STATE-map-OVER-APPEND 
fa  (ps;  sched,  qs:sched,  act:  activity) 

(  construct-state-map-def (append (ps,  act)) 

=  construct-state-map-def (ps)  +* 

fd-def-app(act ,  ps,  act .effect-set, 
act. 1st,  act.est  +  act .duration, 
construct-state-map-def (ps) ) ) 


assert  DISTRIBUTE-CONST-def-STATE-map-OVER-EXTEND-EST 
fa  (ps:  sched,  qs: sched,  i: integer,  n-est:  time) 

(  construct-state-map-def (seq-shadowl(ps,  i, 
tuple-shadow(ps(i) .est, 
n-est))  ) 

=  construct-state-map-def (ps) 

+*  fd-def-ext-est(i,  ps,  ps(i) .effect-set , 
ps(i).est  +  ps(i) .duration, 
n-est  +  ps(i) .duration, 
construct-state-map-def (ps) ) ) 

assert  DISTRIBUTE-CONST-def-STATE-map-OVER-EXTEND-lst 
fa  (ps:  sched,  qs: sched,  i: integer,  n-lst:  time) 
(construct-state-map-def (seq-shadowl (ps ,  i , 
tuple-shadow(ps(i) .1st, 
n-lst))) 

=  construct-state-map-def (ps)  +* 

fd“def-ext-lst(i,  ps,  ps(i) .effect-set, 
n-lst,  ps(i).lst,  construct-state-map-def (ps))) 

POSSIBLE 

assert  DISTRIBUTE-CONST-pos-STATE-map-OVER-EXTEND-EST 
fa  (ps:  sched,  qs: sched,  i: integer,  n-est) 
(construct-state-map-pos 

(seq-shadowl (ps,  i,  tuple-shadow(ps(i) .est, n-est))  ) 
=  construct-state-map-pos (ps) 
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+*  fd-pos-ext-est(i,  ps, 
ps(i) .effect-set, 
ps(i).est  , 
n-est , 

construct-state-map-pos (ps) ) ) 

assert  DISTRIBUTE-CONST-pos-STATE-map-OVER-EXTEND-LST 
fa  (ps:  sched,  qsrsched,  i: integer,  n-lst) 
(construct-state-map-pos 

(seq-shadowl(ps,  i,  tuple-shadow(ps(i) .1st ,  n-lst))  ) 
=  construct-state-map-pos (ps) 

+*  fd-pos-ext-lst (i,  ps,  ps(i) .effect-set , 
n-lst  +  ps(i) .duration  , 
ps(i).lst  +  ps(i) .duration, 
construct-state-map-pos(ps))) 


vmixvm 


assert  DISTRIBUTE-ALL-ACTIVITIES-SCHEDULED 

fa  (Acts:  seq(activity) ,  Sched:  seq(activity) ) 
(ALL-ACTIVITIES-SCHEDULED(Acts ,  Sched) 

=  (Included-activities(Acts)  =  Included-activities (Sched))) 

assert  DISTRIBUTE-ALL-ACTIVITIES-SCHEDULED-OVER-EMPTY-SEQ 
fa  (A:  seq(activity) ) 

(all-activities-scheduled(  A  ,[])  =  false) 


assert  DISTRIBUTE-INCLUDED-ACTIVITIES-OVER-EMPTY-SEQ 
fa  0 

(Included-activities ([] )  =  {}) 

assert  DISTRIBUTE-INCLUDED-ACTIVITIES-OVER-CONCATENATE 
fa  (SI:  seq(activity) ,  S2:  seq(activity)) 

(Included-activities(Sl  union  S2)  =  Included-activities (SI)  union 

Included-activities (S2)) 


assert  DISTRIBUTE-INCLUDED-ACTIVITIES-OVER-APPEND 
fa  (S:  seq(activity) ,  A:  activity) 

(Included-activities(append(S,A))  =  Included-activities (S)  union 

Included-activities ( [A] ) ) 


(A 


assert 

CONSISTENT-ACTIVITY-SEPARATION-EST-to-CONSISTENT-ACTIVITY-SEPARATION-EST 
fa(PS)(  fa(S)(REFINES-TO(S,  PS)  =>  CONSISTENT-ACTIVITY-SEPARATION-EST(S)) 
=>  CONSISTENT-ACTIVITY-SEPARATION-EST(PS) ) 


assert 

CONSISTENT-ACTIVITY-SEPARATION-LST-to-CONSISTENT-ACTIVITY-SEPARATION-LST 
fa(PS)(  fa(S)(REFINES-TO(S,  PS)  =>  CONSISTENT-ACTIVITY-SEPARATION-LST(S)) 
=>  CONSISTENT- ACTIVITY-SEPARATION-LST (PS) ) 


assert  get-activity-over-append-predecessors 

fa(q,e,j)  get-activity(append(q,  e) ,  e.predecessors(j)) 
=  get-activity(q,  e. predecessors (j)) 


»/«/«/ 0/0/ •/»/•/•/•/•/•/•/•/•/•/•/•/•/•/•/•/•/•/•/•/•/•/'/•/•/ Vi 


y. - 

THEORY-RULES 


function  RULE-DISTRIBUTE-const-def-STATE-map-OVER-EMPTY 
()  rb-compile-simplificat ion-equality 

DISTRIBUTE-const-def-STATE-map-OVER-EMPTY 


function  RULE-DISTRIBUTE-const-def-state-map-OVER-append 
0  rb-compile-simplif ication-equality 

D I STRI BUTE- const-def -STATE-map-OVER- append 


f unct ion  RULE-DI STRI BUTE- const -def -STATE-map-0 VER-Ext end-e st 
0  rb-compile-simplif ication-equality 

DISTRIBUTE-const-def-STATE-map-OVER-Extend-est 

function  RULE-DISTRIBUTE-const-def-STATE-map-OVER-Extend-lst 
0  rb-compile-simplif ication-equality 

DISTRIBUTE-const-def-STATE-map-OVER-Extend-lst 
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y, possible 


function  RULE-DISTRIBUTE-DISTRIBUTE-CONST-pos-STATE-map-OVER-EXTEND-EST 
()  rb-compile-simplificat ion-equality 

DISTRIBUTE-const-pos-state-map-OVER-extend-est 


function  RULE-DISTRIBUTE-DISTRIBUTE-CONST-pos-STATE-map-OVER-EXTEND-lST 
()  rb-compile-simplificat ion-equality 

DISTRIBUTE-const-pos-state-map-OVER-extend-lst 


y//.y.y.y.y.y.y.y.y.y.y.y.y.y.y.y.y.y.y.y. 


function 

RULE-DISTRIBUTE-ALL-ACTIVITIES-SCHEDULED-OVER-EMPTY-SEQ-REWRITE 
0  rb-compile-simplificat ion-equality 

DISTRIBUTE-ALL-ACTIVITIES-SCHEDULED-OVER-EMPTY-SEq 

function 

RULE-DISTRIBUTE-INCLUDED-ACTIVITIES-OVER-EMPTY-SEQ-REWRITE 
0  rb-compile-simplificat ion-equality 

DISTRIBUTE-INCLUDED-ACTIVITIES-OVER-EMPTY-SEq 

function 

RULE-DISTRIBUTE-INCLUDED-ACTIVITIES-GVER-CONCATENATE-REWRITE 
()  rb-compile-simplificat ion-equality 

DISTRIBUTE-INCLUDED-ACTIVITIES-OVER-CGNCATENATE 

function 

RULE-DISTRIBUTE-INCLUDED-ACTIVITIES-GVER-APPEND-REWRITE 
()  rb-compile-simplificat ion-equality 

DISTRIBUTE-INCLUDED-ACTIVITIES-GVER-APPEND 

function  rule-get-activity-over-append-predecessors  () 

rb-compile-simplificat ion-equality  get-activity-over-append-predecessors 

y, - 

THEGRY-MISC-LAWS 

y - 
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THEORY-MISC-DEFS 

W.  •/.  ARE  THESE  RULES  CORRECT 


mm:/. 


function 

OUTAGE-RULE-CONSISTENT-ACTIVITY-SEPARATION-EST-TO-CONSISTENT-ACTIVITY 
-SEPARATION-EST  (a) 
computed-using 

a  =  'fa(S0)(refines-to(QPS0,S0)  =>  CONSISTENT-ACTIVITY-SEPARATION-EST(SO)) ' 
&  new-a  =  make-structure ( 

‘##r  RB-GRAMMAR 

(rule-instance-make  UNDEFINED, 

CONSISTENT- ACTIVITY-SEPARATION-ESTC® (c-t (PSO) ) ) , 

$o,  $o, 

+  1,  OUTAGE-RULE-CONSISTENT-ACTIVITY-SEPARATION-EST-TO- 

CONSISTENT-ACTIVITY-SEPARATION-EST) ’ ) 

=>  OUTAGE-RULE-CONSISTENT-ACTIVITY-SEPARATION-EST-TO-CONSISTENT- 
ACTIVITY-SEPARATION-EST (a) 

=  new-a 


function 

OUTAGE-RULE-CONSISTENT-ACTIVITY-SEPARATION-LST-TO-CONSISTENT-ACTIVITY- 
SEPARATION-LST  (a) 
computed-using 

a  =  'fa(S0)(refines-to((aPS0,S0)  =>  CONSISTENT-ACTIVITY-SEPARATION-LST(SO)) ' 
&  new-a  =  make-structure( 

'##r  RB-GRAMMAR 

(rule-instance-make  UNDEFINED, 

CONSISTENT-ACTIVITY-SEPARATION-LST(@(c-t(PSO))) , 

${}.  ${}, 

1 ,  OUTAGE-RULE-CONSISTENT-ACTIVITY-SEPARATION-LST-TO-CONSISTENT 
-ACTIVITY-SEPARATION-LST) ’ ) 

=>  OUTAGE-RULE-CONSISTENT-ACTIVITY-SEPARATION-LST-TO-CONSISTENT-ACTIVITY 
-SEPARATION-LST(a) 

=  new-a 


function 

OUTAGE-RULE-Consistent-ac-power-to-Consistent-ac-power-propl  (a) 
computed-using 

a  =  'fa(SO) (refines-to(®PSO,SO)  =>  Consistent-ac-power(SO) ) ' 

&  new-a  =  make-structure( 

'##r  RB-GRAMMAR 

(rule-instance-make  UNDEFINED, 
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Consistent-ac-power-propl (0 (c-t (PSO) ) , 
construct-state-map-def (Q(c-t (PSO)))) , 

$o,  $o, 

1 ,  OUTAGE-RULE-Consistent-ac-power-to-Consistent-ac-power-propl) ' ) 
=>  OUTAGE-RULE-Consistent-ac-power-to-Consistent-ac-power-propl(a) 

=  new- a 

function 

OUTAGE-RULE-Consi st ent-ac-power-to-Cons i st ent -ac-power-f ilt er  ( a) 
computed-using 

a  =  'fa(SO) (refines-to(@PS0,S0)  =>  Consistent-ac-power(SO) ) ^ 

&  new-a  =  make-structure( 

'##r  RB-GRAMMAR 

(rule-instance-make  UNDEFINED, 

Consist ent-ac-power-filter(@ (c-t (PSO) ) , 
construct-state-map-def (® (c-t (PSO) ) ) ) , 

$0,  ${}, 

1 ,  OUTAGE-RULE-Consistent-ac-power-to-Consistent-ac-power-f ilter) ’ ) 
=>  OUTAGE-RULE-Consistent-ac-power-to-Consistent-ac-power-f ilter(a) 

=  new-a 

function 

DUTAGE-RULE-Consistent-ac-power-to-Consistent-ac-power-prop2  (a) 
computed-using 

a  =  'fa(SO) (ref ines-to(®PS0,S0)  =>  Consistent-ac-power(SO) ) ' 

&  new-a  =  make-structure ( 

'##r  RB-GRAMMAR 

(rule-instance-make  UNDEFINED, 

Consistent-ac-power-prop2 (® (c-t (PSO) ) , 
construct-state-map-def (® (c-t (PSO) ) ) ) , 

$o,  $o, 

1 ,  0UTAGE-RULE-Consistent-ac-power-to-Consistent-ac-power-prop2) ’ ) 
=>  0UTAGE-RULE-Consistent-ac-power-to-Consistent-ac-power-prop2(a) 

=  new-a 


•/. - 

THEORY-MI SC-RULES 


rule  tuple-deref-seq-appl-over-get-activity-index-seq-shadowl-tuple-shadow(a) 
also  {|  index-on  ->  <'rb-simplification-rules,  'get-field>  1} 
a  =  '®q0 (get-activity-index 

(seq-shadowl(®ql,  ®ipl,  tuple-shadow(®q2(®ip2) .®fi,  ®®)), 

®k)) 

.®fo' 
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&  term-equal? (qO,  ql)  &  term-equal? (ql,  q2)  &  t erm- equal ?( ip 1,  ip2) 
&  fi  "=  fo 

— >  a  =  ‘ QqO (get-activity-index (®ql ,  Qk)).®fo' 

rule  tuple-deref -over-get-act ivity-seq-shadowl-tuple-shadow(a) 

also  -Cl  index-on  ->  <'rb-simplification-rules,  ’get-field>  1} 
a  =  'get-activity 

(seq-shadowl(Qql,  ®ipl,  tuple-shadow(Qq2(Qip2) .Qf i,  QQ)), 

®k) 

.®fo’ 

&  term-equal? (ql,  q2)  &  term-equal? (ipl ,  ip2) 

&  fi  "=  fo 

— >  a  =  ‘get-activity(®ql,  ®k).®fo’ 

rule  def ined?-over-get-activity-seq-shadowl-tuple-shadow(a) 

also  {1  index-on  ->  <'rb-simplificat ion-rules,  ’defined?>  1} 
a  =  'defined?(get-activity 

(seq-shadowl(®ql,  ®ipl,  tuple-shadow (®q2 (®ip2) .®®,  ®®)), 

®k) ) ' 

&  term-equal? (ql,  q2)  &  term-equal? (ipl,  ip2) 

— >  a  =  ‘defined?(get-activity(®ql,  ®k))' 

y.y.  Not  certain  that  this  is  valid 

rule  get-activity-over-append-predecessors (a) 

also  {|  index-on  ->  <’rb-simplification-rules,  'get-activity>  1} 
a  =  'get-activity(append(®q,  ®el) ,  ®e2.predecessors(®j)) ’ 

&  term-equal? (el ,  e2) 

— >  a  =  'get-activity(®q,  ®e2 .predecessors(®j) ) ' 


- - 

THEORY-MISC-FORMS 

form  remove-SOME-OP-SIMPLIFICATION-RULES 
remove-rb-simplificat ion-rules ( ' some , 

■C'basic-boolean-theory-distribute-some-over-ordered-or-into-ex-form}) 

form  add-SOME-OP-SIMPLIFICATION-RULES 
add-rb-simplification-rules('some, 

{'basic-boolean-theory-rule-distribute-var-def initions-in-some-op}) 
y.y,  »basic-boolean-theory-rule-distribute-var-definitions-in-some-op 

form  remove-member-SIMPLIFICATION-RULES 
remove-rb-simplif icat ion-rules ( 'member. 
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{ ' seq-theory-rule-distribute-in-over-interval}) 


form  remove-defined?-SIMPLIFICATION-RULES 
remove-rb-simplificat ion-rules 

( ' defined? ,  { ' regroup-type-rule-definedness-of-f unction-parameter}) 


form  remove-seq-theory-rule-distribute-in-over-reverse 
remove-rb-simplif icat ion-rules ( 'member, 

{ ’ seq-theory-rule-distribute-in-over-reverse}) 


form  ADD-universal-FI-laws 
ADD-RB-FORWARD-IMPLICATIONS 
( 'f orall , 

{  'OUTAGE-RULE-CONSISTENT-ACTIVITY-SEPARATION-EST-TO-CONSISTENT-ACTIVITY 
-SEPARATION-EST 

,  'OUTAGE-RULE-CONSISTENT-ACTIVITY-SEPARATION-LST-TO-CONSISTENT-ACTIVITY 
-SEPARATION-LST 

,  ' OUTAGE-RULE-CONSISTENT-AC-POWER-TO-CONSISTENT-AC-POWER-f ilter 
,  ' OUTAGE-RULE-CONSISTENT-AC-PDWER-TO-CONSISTENT-AC-POWER-PROPl 
,  ' 0UTAGE-RULE-C0NSISTENT-AC-P0WER-T0-C0NSISTENT-AC-PQWER-PR0P2 
}) 

form  ADD-AND-SIMPLIFICATION-RULES 

%*/,  associative  commutative  idempotent  identity  fixpoint 
add-simplification-rules-for-operator('and)  '/,  ; 

*/,  add-rb-simplif ication-rules  ( ’  and , 

y.  {’basic-boolean-theory-rule-distribute-and-over-or}) 
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Appendix  D  -  Global  Search  Theories  for  the 
Outage  Problem 


Appendix  D  contains  the  global  search  theory  for  scheduling  considering  the  definite 
period  of  activities. 


form  index-outage-scheduling 

gs-activities  =  make-binding('gs-activities) 

&  full-sched  =  make-binding('full-sched) 

&  p-sched  =  make-binding('p-sched) 

ft  unsched-acts  =  make-binding( ’unsched-acts) 

ft  def-state-map  =  make-binding(  Mef-state-map) 

ft  p-sched-new  =  make-binding C'p-sched-new) 

ft  def- state-map-new  =  make-binding('def -state-map-new) 

ft  unsched-acts -new  =  make-binding('unsched-acts-new) 

ft  gs-act  =  make-binding(’gs-act) 


— > 


'##r  cypress-grammar 

(Global-Search-Theory  GS-OUTAGE-SCHEDULING 

input-types  seq(activity) 
input-vars  gs-activities 
input-condition  true 

output-types  seq(activity) 
output -vars  full-sched 
output - condit ion 

all-activities-scheduled(gs-activities ,  full-sched) 

subspace-types 

seqC activity) , 
seq(activity) , 

St -hist -map 
subspace-vars 
p-sched, 
unsched-acts, 
def-state-map 
subspace-split-vars 
p-sched-new, 
unsched-acts-new, 
def -state-map-new 
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subspace-vars-constraint 

def-state-map  =  construct-state-map-def (p-sched) 

&  included-activities(gs-activities)  =  included-activities(p-sched) 

union  included-activities (unsched-acts) 

&  disjoint (included-activities (p-sched) ,  included-activities (unsched-acts)) 
k  defined? (p-sched) 

Constraint-Info-types 

activity 

Constraint-Info-vars 

gs-act 

Constraint-Info-condition 

gs-act  =  first (unsched-acts) 

Splitting-constraint 

p-sched-new  =  append (p-sched,  gs-act) 
k  unsched-acts-new  =  rest (unsched-acts) 

k  def-state-map-new  =  construct-state-map-def (p-sched-new) 
satisfies 

ref ines-to (p-sched ,full-sched) 
refines 

ref ines-to (p-sched,  p-sched-new) 
initial-space 

(<  □  ,  sort-activities (gs-activities) , 

*initial-state-map*>) 

extract 

full-sched  =  p-sched 
Extractable 

unsched-acts  =  [] 

Splittable 

unsched-acts  ~=  [] 

)'  in  gs-theories-prop(find-global('powersequence)) 

form  index-out age-poss-scheduling 
gs-ps  =  make-binding ('gs-ps) 
k  full-sched  =  make-binding( ’full-sched) 
k  p-sched  =  make-binding ( ’p-sched) 
k  def-state-map  =  make-biriding( ’def-state-map) 
k  poss" state-map  =  make-binding(’poss-state-map) 
k  p-sched-new  =  make-binding ( ’p-sched-new) 
k  def-state-map-new  =  make-binding( ’def-state-map-new) 
k  poss-state-map-new  =  meike-binding( ’poss-state-map-new) 
k  gs-high-poss-interval  =  make-binding ( ’gs-high-poss-interval) 
k  gs-res-index  =  make-binding( ’gs-res-index) 
k  gs-split-time  =  make-binding( ’gs-split-time) 
k  gs-switch  =  meike-binding( ’gs-switch) 
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— > 


Global  search  theory  for  time  window  refinement  that  takes  into  consideration  the 
potential  period  of  activities. 


‘##r  cypress-grammar 

(Global-Search-Theory  GS-OUTAGE-poss-SCHEDULING-1 

input-types  seq(activity) 
input-vars  gs-ps 
input-condition  true 

output-types  seq(activity) 
output-vars  full-sched 
output-condition 

all-activities-scheduled(gs-ps ,  full-sched) 

subspace-types 

seq(activity) , 
st-hist-map, 
st-hist-map 
subspace-vars 
p-sched, 
def- St at e-map, 
poss-state-map 
subspace-split-vars 
p-sched-new, 
def -state-map-new, 
poss-state-map-new 
subspace-vars-constraint 

def-state-map  =  construct-state-map-def (p-sched) 

&  poss-state-map  =  construct-state-map-pos (p-sched) 
Constraint-Inf o-types 

tupleCfcime,  time),  integer,  time,  integer 
Constraint “Inf o-vars 

gs-high-poss-interval , 

*/,  gs-res ,  computed 
gs-res-index,  gs-split-time, 
gs-switch 

Const raint-Info-condit ion 
gs-higb-poss-interval 

=  longest-highest-poss-excess-interval (poss-state-map) 


73 


&  gs-res-index 

=  maximally-poss-act-in-poss-interval 
(p-sched ,  gs-high-poss-interval . 1 ,gs-high-poss-interval . 2 , 

poss-state-map(gs-high-poss-interval. 1) .unav-res-map) 

&  gs-split-time 

=  poss-interval-split-tiitie(p-sched(gs-res-index) , 
gs-high-poss-interval . 1 , 
gs-high-poss-interval . 2) 

&  defined? (gs-split-time) 

&  gs-switch  in  [0,  1]  '/,  1  causes  things  to  be  scheduled  early 
&  (gs-switch  =  0 

&  gs-split-time  "=  p-sched(gs-res-index) .1st 
or 

gs-switch  =  1 

&  1  +  gs-split-time  ~=  p-sched(gs-res-index) .est) 
Splitting-constraint 
if  gs-switch  =  0 
then  p-sched-new 

=  seq-shadowl (p-sched, 
gs-res-index, 

tuple-shadow(p-sched(gs-res-index) . 1st , 
gs-split-time) ) 

&  def -state-map-new  =  construct-state-map-def (p-sched-new) 

&  poss-state-map-new  =  construct-state-map-pos (p-sched-new) 
else 

p-sched-new 
=  seq-shadowl (p-sched, 
gs-res-index, 

tuple-shadow(p-sched(gs-res-index) . est , 

1  +  gs-split-time)) 

&  def-state-map-new  =  construct-state-map-def (p-sched-new) 

&  poss-state-map-new  =  construct-state-map-pos (p-sched-new) 
satisfies 

ref ines-to (p-sched ,full-sched) 
refines 

ref ines-to (p-sched,  p-sched-new) 
initial-space 

(<gs-ps,  construct-state-map-def (gs-ps) , 
construct-state-map-pos (gs-ps)  >) 

extract 

full-sched  =  extract-schedule (p-sched) 

Extractable 

"excess-poss? 

(longest-highest-poss-excess-interval(poss-state-map)) 
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Splittable 

excess-poss? 

(longest-highest-poss-excess-interval(poss-stat e-map)) 
)'  in  gs-theories-prop(f ind-global( 'powersequence)) 


<^U.S.  GOVERNMENT  PRINTING  OFFICE:  1996-509-127-47063 


75 


MISSION 

OF 

ROME  LABORATORY 


Mission.  The  mission  of  Rome  Laboratory  is  to  advance  the  science  and 
technologies  of  command,  control,  communications  and  intelligence  and  to 
transition  them  into  systems  to  meet  customer  needs.  To  achieve  this, 
Rome  Lab: 


a.  Conducts  vigorous  research,  development  and  test  programs  in  ail 
applicable  technologies; 

b.  Transitions  technology  to  current  and  futojre  systems  to  improve 
operations^  capability,  readiness,  and  supportability; 

c.  Provides  a  full  range  of  technical  support  to  Air  Force  Materiel 
Command  product  centers  and  other  Air  Force  organizations; 

d.  Promotes  transfer  of  technology  to  the  private  sector; 

e.  Maintains  leading  edge  tedinological  expertise  in  the  areas  of 
surveillance,  communications,  command  and  control,  intelligence,  reliability 
science,  electro-magnetic  technology,  photonics,  signal  processing,  and 
computationai  science. 


The  thrust  areas  of  technicai  competence  include:  Surveillance, 
Communications,  Command  and  Control,  Intelligence,  Signal  Processing, 
Computer  Science  and  Technology,  Bectromagnetic  Technology, 
Photonics  and  Reliability  Sciences. 


